Bugzilla – Bug 884130
VUL-0: CVE-2014-4617: gpg, gpg2: GnuPG denial of service through infinite loop with garbled compressed data packets
Last modified: 2014-07-30 18:49:08 UTC
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:30.0) Gecko/20100101 Firefox/30.0 GnuPG before 1.4.17 and 2.0.24 have a possible DoS vulnerability when using garbled compressed data packets which can be used to put gpg into an infinite loop. [Announce] [security fix] GnuPG 1.4.17 released http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html [Announce] [security fix] GnuPG 2.0.24 released http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=014b2103fcb12f261135e3954f26e9e07b39e342 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a http://seclists.org/oss-sec/2014/q2/632 >> A packet like (a3 01 5b ff) leads to an infinite loop. > Use CVE-2014-4617 for this issue affecting both GnuPG 1.x before 1.4.17 and 2.x before 2.0.24. Reproducible: Didn't try
SR to Base:System / gpg2: https://build.opensuse.org/request/show/238555
Created attachment 595827 [details] backported patch Differs from upstream patch in context only, plus white space content in hunk #4
Maintenance request for gpg2 on openSUSE 12.3 and 13.1, please review: https://build.opensuse.org/request/show/238557 This regression as introduced in 1999, so all versions of SLE affected.
so also gpg and gpg2
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-07-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58019
Affected packages: SLE-10-SP3-TERADATA: gpg, gpg2 SLE-11-SP3: gpg2 SLE-9-SP3-TERADATA: gpg
Thanks for the openSUSE update and the patch, Andreas.
openSUSE-SU-2014:0866-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 884130 CVE References: CVE-2014-4617 Sources used: openSUSE 13.1 (src): gpg2-2.0.22-8.1 openSUSE 12.3 (src): gpg2-2.0.19-5.16.1
Update released for: gpg2, gpg2-debuginfo Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: gpg, gpg-debuginfo Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: gpg Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0896-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 884130 CVE References: CVE-2014-4617 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): gpg2-2.0.9-25.33.39.1 SUSE Linux Enterprise Server 11 SP3 (src): gpg2-2.0.9-25.33.39.1 SUSE Linux Enterprise Desktop 11 SP3 (src): gpg2-2.0.9-25.33.39.1
openSUSE-SU-2014:0952-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 884130 CVE References: CVE-2014-4617 Sources used: openSUSE 11.4 (src): gpg2-2.0.19-22.1