Post on oss-security: https://marc.info/?l=oss-security&m=165657063921408&w=2 Partial quote: """ After discovering that gpgv does not support --exit-on-status-write-error, I decided to check if it handles write errors on the status file descriptor properly. I ultimately found that while such errors are *not* handled properly, exploiting this flaw in practice would likely be very difficult and unreliable. However, in the course of this research (and entirely accidentally), I found that if a signature has a notation with a value of 8192 spaces, gpg will crash while writing the notation's value to the status FD. This turned out to be a far more severe flaw, with consequences including the ability to make a signature that will appear to be ultimately valid and made by a key with any fingerprint one wishes. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=988fa70ca5731f8d4a1862d559603cbf13d569be commit 988fa70ca5731f8d4a1862d559603cbf13d569be Author: Sam James <sam@gentoo.org> AuthorDate: 2022-06-30 20:01:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-06-30 20:01:08 +0000 app-crypt/gnupg: backport signature status message fix Bug: https://bugs.gentoo.org/855395 Signed-off-by: Sam James <sam@gentoo.org> .../gnupg-2.2.35-status-messages-garbled.patch | 45 ++++++ .../gnupg-2.3.6-status-messages-garbled.patch | 45 ++++++ app-crypt/gnupg/gnupg-2.2.35-r1.ebuild | 160 ++++++++++++++++++++ app-crypt/gnupg/gnupg-2.3.6-r1.ebuild | 165 +++++++++++++++++++++ 4 files changed, 415 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3070f3b4f2d5f3de77046e8594493fb041f86176 commit 3070f3b4f2d5f3de77046e8594493fb041f86176 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-12 01:27:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-12 01:27:59 +0000 app-crypt/gnupg: add 2.3.7 Note that CVE-2022-34903 was already fixed in 2.4.6-r1 in Gentoo. Bug: https://bugs.gentoo.org/855395 Signed-off-by: Sam James <sam@gentoo.org> app-crypt/gnupg/Manifest | 2 + app-crypt/gnupg/gnupg-2.3.7.ebuild | 164 +++++++++++++++++++++++++++++++++++++ 2 files changed, 166 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2 commit edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-10 08:41:19 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-10 08:41:29 +0000 [ GLSA 202408-23 ] GnuPG: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/855395 Bug: https://bugs.gentoo.org/923248 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-23.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)