Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 580518 (CVE-2016-4021) - <app-crypt/pgpdump-0.30: endless loop parsing specially crafted input (CVE-2016-4021)
Summary: <app-crypt/pgpdump-0.30: endless loop parsing specially crafted input (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2016-4021
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-19 10:44 UTC by Agostino Sarubbo
Modified: 2016-07-24 01:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-19 10:44:11 UTC 
From ${URL} :

A flaw was discovered in pgpdump. When pgpdump is run on specially crafted input, a 
Denial-of-Service
condition occurs. The program runs with 100% CPU usage for an indefinite amount of time.

External references:

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-030.txt

References:

http://seclists.org/bugtraq/2016/Apr/99

Upstream fix:

https://github.com/kazu-yamamoto/pgpdump/pull/16


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2016-04-19 22:07:04 UTC 
Version bumped.

amd64 x86 ppc sparc: Please stabilize
Comment 2 Agostino Sarubbo gentoo-dev 2016-04-20 08:56:41 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-06-27 08:49:55 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-08 07:57:00 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-08 10:05:32 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:52:18 UTC 
CVE-2016-4021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4021):
  The read_binary function in buffer.c in pgpdump before 0.30 allows
  context-dependent attackers to cause a denial of service (infinite loop and
  CPU consumption) via crafted input, as demonstrated by the \xa3\x03 string.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-07-09 02:53:34 UTC 
GLSA Vote: No

@maintainer(s), please cleanup.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-07-24 01:44:30 UTC 
Cleaned.