Bugzilla – Bug 890123
VUL-0: CVE-2014-3564: gpgme 1.5.1 Fixes possible overflow in gpgsm and uiserver engines
Last modified: 2014-09-01 09:56:29 UTC
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 From http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob;f=NEWS;h=0ea405bae60b037b22fe5c63de97fed85f40e976;hb=bfe18a0651177025ff0a6b978a641bdd1472a0b1 Noteworthy changes in version 1.5.1 (2014-07-30) [C24/A13/R0] ------------------------------------------------------------- * Fixed possible overflow in gpgsm and uiserver engines. [CVE-2014-3564] * Added support for GnuPG 2.1's --with-secret option. * Interface changes relative to the 1.5.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GPGME_KEYLIST_MODE_WITH_SECRET NEW. Reproducible: Didn't try
Patch for CVE-2014-3564: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
Created attachment 600820 [details] patch for this issue applies back to at least 1.3.2 (openSUSE 12.3)
1.5.1 for Base:System / gpgme: https://build.opensuse.org/request/show/243547 Maintenance request with patch openSUSE 12.3 and 13.1: https://build.opensuse.org/request/show/243548 Please review. SLE certainly affected, cc bugowner.
Thanks Andreas, All SLE gpgme packages are indeed affected.
Announcement: http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000350.html > * Noteworthy changes in version 1.4.4 (2014-07-30) > - Fixed possible overflow in gpgsm and uiserver engines. > [CVE-2014-3564] > - Fixed possibled segv in gpgme_op_card_edit. > - Fixed minor memleaks and possible zombie processes. > - Fixed prototype inconsistencies and void pointer arithmetic. They made a maintenance release for gpgme 1.4.x (openSUSE 13.1), propose straight update there. https://build.opensuse.org/request/show/243910
openSUSE-SU-2014:1039-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 890123 CVE References: CVE-2014-3564 Sources used: openSUSE 13.1 (src): gpgme-1.4.4-2.4.1 openSUSE 12.3 (src): gpgme-1.3.2-2.4.1
Affected packages: SLE-10-SP3-TERADATA: gpgme SLE-11-SP1: gpgme SLE-11-SP3: gpgme
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-09-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58689
SUSE-SU-2014:1073-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 890123 CVE References: CVE-2014-3564 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): gpgme-1.1.6-25.32.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): gpgme-1.1.6-25.32.1 SUSE Linux Enterprise Server 11 SP3 (src): gpgme-1.1.6-25.32.1 SUSE Linux Enterprise Desktop 11 SP3 (src): gpgme-1.1.6-25.32.1
was released