Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 518646 (CVE-2014-3564) - <app-crypt/gpgme-{1.3.2-r1,1.4.4,1.5.1}: heap-based buffer overflow in gpgsm status handler (CVE-2014-3564)
Summary: <app-crypt/gpgme-{1.3.2-r1,1.4.4,1.5.1}: heap-based buffer overflow in gpgsm ...
Status: RESOLVED FIXED
Alias: CVE-2014-3564
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q3/266
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-31 08:56 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2014-08-09 19:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-31 08:56:09 UTC
From ${URL}: 
"Tomáš Trnka discovered a heap-based buffer overflow in gpgme. He has
provided a very good bug report in [1], so I'll refrain from copy
and pasting it here.

This is now fixed in version 1.5.1, the commit fixing this is linked in
[2].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1113267
[2]
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77"
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-31 09:03:56 UTC
This is also fixed in gpgme 1.4.4 that has also been released. 

To recap: Fixed versions are: 1.4.4 and 1.5.1.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-31 10:01:31 UTC
+  31 Jul 2014; Kristian Fiskerstrand <k_f@gentoo.org> +gpgme-1.4.4.ebuild,
+  +gpgme-1.5.1.ebuild:
+  Version bump to 1.4.4 and 1.5.1 due to security bug #518646 (CVE-2014-3564)
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-31 13:41:25 UTC
+  31 Jul 2014; Kristian Fiskerstrand <k_f@gentoo.org>
+  +files/gpgme-1.3.2-CVE-2014-3564.patch, +gpgme-1.3.2-r1.ebuild:
+  Revbump with backported patch for security bug #518646 (CVE-2014-3564)

Arches, please stabilize:
=app-crypt/gpgme-1.3.2-r1
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2014-07-31 15:20:32 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2014-08-02 13:44:33 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-08-02 13:48:13 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2014-08-03 18:29:42 UTC
arm stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2014-08-04 18:37:43 UTC
ia64/sparc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-06 09:24:12 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2014-08-09 09:35:02 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-09 09:35:09 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-09 10:25:06 UTC
Cleanup done. 

+  09 Aug 2014; Kristian Fiskerstrand <k_f@gentoo.org> -gpgme-1.3.0-r1.ebuild,
+  -gpgme-1.3.1.ebuild, -gpgme-1.3.2.ebuild, -gpgme-1.4.3.ebuild,
+  -gpgme-1.5.0.ebuild:
+  Cleanup old versions for security bug #518646
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-08-09 18:59:53 UTC
GLSA vote: no.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2014-08-09 19:01:35 UTC
NO too, closing.