From ${URL}: "Tomáš Trnka discovered a heap-based buffer overflow in gpgme. He has provided a very good bug report in [1], so I'll refrain from copy and pasting it here. This is now fixed in version 1.5.1, the commit fixing this is linked in [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1113267 [2] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77"
This is also fixed in gpgme 1.4.4 that has also been released. To recap: Fixed versions are: 1.4.4 and 1.5.1.
+ 31 Jul 2014; Kristian Fiskerstrand <k_f@gentoo.org> +gpgme-1.4.4.ebuild, + +gpgme-1.5.1.ebuild: + Version bump to 1.4.4 and 1.5.1 due to security bug #518646 (CVE-2014-3564)
+ 31 Jul 2014; Kristian Fiskerstrand <k_f@gentoo.org> + +files/gpgme-1.3.2-CVE-2014-3564.patch, +gpgme-1.3.2-r1.ebuild: + Revbump with backported patch for security bug #518646 (CVE-2014-3564) Arches, please stabilize: =app-crypt/gpgme-1.3.2-r1 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable on alpha.
amd64 stable
x86 stable
arm stable
ia64/sparc stable
Stable for HPPA.
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup done. + 09 Aug 2014; Kristian Fiskerstrand <k_f@gentoo.org> -gpgme-1.3.0-r1.ebuild, + -gpgme-1.3.1.ebuild, -gpgme-1.3.2.ebuild, -gpgme-1.4.3.ebuild, + -gpgme-1.5.0.ebuild: + Cleanup old versions for security bug #518646
GLSA vote: no.
NO too, closing.