A security issue has been fixed in GnuPG 1.4.17 that was just released. There is currently no released version containing this fix for the 2.0 branch but it is fixed upstream in http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=014b2103fcb12f261135e3954f26e9e07b39e342 Quoting the 1.4 branch commit from http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a gpg: Avoid infinite loop in uncompressing garbled packets. * g10/compress.c (do_uncompress): Limit the number of extra FF bytes. -- A packet like (a3 01 5b ff) leads to an infinite loop. Using --max-output won't help if it is a partial packet. This patch actually fixes a regression introduced on 1999-05-31 (c34c6769). Actually it would be sufficient to stuff just one extra 0xff byte. Given that this problem popped up only after 15 years, I feel safer to allow for a very few FF bytes. Thanks to Olivier Levillain and Florian Maury for their detailed report.
Added gnupg-1.4.17 into tree. I suggest to wait few days for 2.x version.
We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.24.
(In reply to Kristian Fiskerstrand from comment #2) > We are pleased to announce the availability of a new stable GnuPG-2 > release: Version 2.0.24. thanks! in tree.
Thanks alon, It builds cleanly and functionally for me on amd64, however giving the latest version it a little time to reach the GnuPG FTP mirrors specified in SRC_URI before starting a STABLEREQ. It is currently only available on the main FTP server.
Arches, please stabilize: =app-crypt/gnupg-1.4.17 =app-crypt/gnupg-2.0.24 Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Please abort stabilization, an issue has been raised in the gnupg-users list and new versions will be released
CVE-2014-4617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4617): The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
"Wer(sic) are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.25. This release fixes a regression introduced with the 2.0.24 release."
Added. What about gnupg-1.x?
(In reply to Alon Bar-Lev from comment #9) > Added. What about gnupg-1.x? 1.4.18 is already tagged in the git repo and should be released soon.
(In reply to Kristian Fiskerstrand from comment #10) > (In reply to Alon Bar-Lev from comment #9) > > Added. What about gnupg-1.x? > > 1.4.18 is already tagged in the git repo and should be released soon. We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.18. This release fixes a regression introduced with the 1.4.17 release.
Added, thanks!
Arches, please stabilize: =app-crypt/gnupg-1.4.18 =app-crypt/gnupg-2.0.25 Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
The previous summary was correct for the security fix. However it introduced a usability issue hence stopping stabilization of those versions.
Stable for HPPA.
I stabilized =app-crypt/gnupg-2.0.25 on amd64. The 1.4 branch still remains to be done.
amd64 done
x86 stable
alpha stable
ppc stable
ppc64 stable
ia64 stable
arm stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Thanks. New GLSA request filed
arm64 stable for gnupg-2 only.
This issue was resolved and addressed in GLSA 201407-04 at http://security.gentoo.org/glsa/glsa-201407-04.xml by GLSA coordinator Mikle Kolyada (Zlogene).