Bug 844175 (CVE-2013-4402) - VUL-0: CVE-2013-4402: GnuPG 2.0.22 and 1.4.15 fix denial of service through infinite recursion in the compressed packet parser CVE-2013-4402
Summary: VUL-0: CVE-2013-4402: GnuPG 2.0.22 and 1.4.15 fix denial of service through i...
Status: RESOLVED FIXED
Alias: CVE-2013-4402
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All openSUSE 12.3
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2013-10-21
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:54672:moderate maint:r...
Keywords:
Depends on:
Blocks: 941439
  Show dependency treegraph
 
Reported: 2013-10-05 11:27 UTC by Andreas Stieger
Modified: 2015-08-12 12:32 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch based on upstream commit on 1.4.x branch (5.04 KB, patch)
2013-10-05 18:46 UTC, Andreas Stieger 		Details | Diff
patch based on upstream commit on 2.0.x branch (5.29 KB, patch)
2013-10-05 18:47 UTC, Andreas Stieger 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2013-10-05 11:27:55 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

From http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html

What's New in 2.0.22
====================

 * Fixed possible infinite recursion in the compressed packet
   parser. [CVE-2013-4402]
 * Improved support for some card readers.
 * Prepared building with the forthcoming Libgcrypt 1.6.
 * Protect against rogue keyservers sending secret keys.


Also GnuPG 1.4.15 contains the fix.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Andreas Stieger 2013-10-05 12:34:39 UTC 
SR to Base:System: https://build.opensuse.org/request/show/202365

git.gnupg.org is down atm, cannot get the single patch for a maintenance update.
Comment 2 Bernhard Wiedemann 2013-10-05 16:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (844175) was mentioned in
https://build.opensuse.org/request/show/202374 Factory / gpg2
Comment 3 Marcus Meissner 2013-10-05 17:11:54 UTC 
remote denial of service
Comment 4 Swamp Workflow Management 2013-10-05 17:13:31 UTC 
The SWAMPID for this issue is 54672.
This issue was rated as moderate.
Please submit fixed packages until 2013-10-21.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Marcus Meissner 2013-10-05 17:17:22 UTC 
thanks for the heads up! :)
Comment 7 Andreas Stieger 2013-10-05 18:46:43 UTC 
Created attachment 561577 [details]
patch based on upstream commit on 1.4.x branch

From http://lists.gnupg.org/pipermail/gnupg-commits/2013-October/010131.html
Comment 8 Andreas Stieger 2013-10-05 18:47:37 UTC 
Created attachment 561578 [details]
patch based on upstream commit on 2.0.x branch

From http://lists.gnupg.org/pipermail/gnupg-commits/2013-October/010132.html
Comment 9 Andreas Stieger 2013-10-05 18:57:57 UTC 
(In reply to comment #8)
> Created an attachment (id=561578) [details]
> patch based on upstream commit on 2.0.x branch
> 
> From http://lists.gnupg.org/pipermail/gnupg-commits/2013-October/010132.html

Review maintenance request for openSUSE 12.2 and 12.3 using this patch:
https://build.opensuse.org/request/show/202386
Comment 11 Vítězslav Čížek 2013-10-05 22:42:42 UTC 
Thanks for the patches, Andreas!
Fixed packages for SLE have been submitted.
Comment 13 Bernhard Wiedemann 2013-10-10 17:00:21 UTC 
This is an autogenerated message for OBS integration:
This bug (844175) was mentioned in
https://build.opensuse.org/request/show/202893 Evergreen:11.2:Test / gpg2
Comment 14 Swamp Workflow Management 2013-10-14 14:04:35 UTC 
openSUSE-SU-2013:1546-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 844175
CVE References: CVE-2013-4402
Sources used:
openSUSE 12.3 (src):    gpg2-2.0.19-5.12.1
openSUSE 12.2 (src):    gpg2-2.0.19-2.17.1
Comment 15 Swamp Workflow Management 2013-10-16 06:04:21 UTC 
openSUSE-SU-2013:1552-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 844175
CVE References: CVE-2013-4402
Sources used:
openSUSE 11.4 (src):    gpg2-2.0.19-18.1
Comment 16 Bernhard Wiedemann 2013-10-19 19:00:30 UTC 
This is an autogenerated message for OBS integration:
This bug (844175) was mentioned in
https://build.opensuse.org/request/show/203987 Evergreen:11.2 / gpg2
Comment 17 Marcus Meissner 2013-10-25 12:15:18 UTC 
released
Comment 18 Swamp Workflow Management 2013-10-25 13:04:30 UTC 
Update released for: gpg
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 19 Swamp Workflow Management 2013-10-25 13:04:54 UTC 
Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 20 Swamp Workflow Management 2013-10-25 13:05:17 UTC 
Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 21 Swamp Workflow Management 2013-10-25 14:49:33 UTC 
Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 22 Swamp Workflow Management 2013-10-25 14:54:01 UTC 
Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 23 Swamp Workflow Management 2013-10-25 15:04:31 UTC 
Update released for: gpg2, gpg2-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 24 Swamp Workflow Management 2013-10-25 15:46:56 UTC 
Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 25 Swamp Workflow Management 2013-10-25 15:48:19 UTC 
Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
Comment 26 Swamp Workflow Management 2014-06-03 19:47:37 UTC 
Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 27 Swamp Workflow Management 2014-06-03 23:05:49 UTC 
SUSE-SU-2014:0750-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 778723,780943,798465,808958,840510,844175
CVE References: 
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    gpg2-2.0.9-25.33.37.6