Bug 37841
| Summary: | gnupg: Multiple issues (4.0) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Arvid Requate <requate> |
| Component: | Security updates | Assignee: | Janek Walkenhorst <walkenhorst> |
| Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
| Severity: | normal | ||
| Priority: | P2 | CC: | gohmann, jmm |
| Version: | UCS 4.0 | ||
| Target Milestone: | UCS 4.0-1-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | Security | |
| Max CVSS v3 score: | |||
|
Description
Arvid Requate
Side-channel attack on El-Gamal keys (CVE-2014-3591) Side-channel attack in the mpi_pow() function (CVE-2015-0837) (In reply to Arvid Requate from comment #0) > CVE-2015-1607: memcpy with overlapping ranges when using non-standard keyring This won't be fixed in Debian stable; the patch is very intrusive and the impact of the security bug is marginal (only triggerable when importing malformed keyring data). As such, it won't be fixed in UCS either. Tests (i386): OK Advisory: 2015-03-19-gnupg.yaml OK: apt-cache policy gnupg # 1.4.12-7.66.201503191340 OK: aptitude install '?source-package(gnupg)?installed' # i386 #amd64 OK: zless /usr/share/doc/gnupg/changelog.Debian.gz OK: gpg --dearmor <debian/patches/CVE-2015-1606.patch >./FILE ; gpg --no-default-keyring --keyring ./FILE --export >/dev/null OLD: gpg: Segmentation fault caught ... exiting NEW: gpg: skipped packet of type 11 in keyring OK: CVE-2015-1606 CVE-2014-3591 CVE-2015-0837 OK: 2015-03-19-gnupg.yaml OK: errata-announce -V 2015-03-19-gnupg.yaml |