Debian Bug report logs -
#472928
gnupg2: CVE-2008-1530 memory corruption via crafted key file
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 27 Mar 2008 09:45:16 UTC
Severity: grave
Tags: security
Found in version gnupg2/2.0.8-1
Fixed in version gnupg2/2.0.9-1
Done: Eric Dorland <eric@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Eric Dorland <eric@debian.org>:
Bug#472928; Package gnupg2.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Eric Dorland <eric@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnupg2
Version: 2.0.8-1
Severity: grave
Tags: security
Justification: user security hole
http://www.ocert.org/advisories/ocert-2008-1.html
It's fixed in 2.0.9, Sarge and Etch are not affected. There's no CVE yet.
Cheers,
Moritz
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages gnupg2 depends on:
ii libbz2-1.0 1.0.5-0.1 high-quality block-sorting file co
ii libc6 2.7-9 GNU C Library: Shared libraries
ii libcurl3-gnutls 7.18.0-1 Multi-protocol file transfer libra
ii libgcrypt11 1.4.0-3 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libkrb53 1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
ii libksba8 1.0.3-1 X.509 and CMS support library
ii libreadline5 5.2-3 GNU readline and history libraries
ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime
Versions of packages gnupg2 recommends:
ii libldap2 2.1.30.dfsg-13.5 OpenLDAP libraries
-- no debconf information
Changed Bug title to `gnupg2: CVE-2008-1530 memory corruption via crafted key file' from `gnupg2: Key import memory corruption'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Fri, 28 Mar 2008 00:09:02 GMT) (full text, mbox, link).
Reply sent to Eric Dorland <eric@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 472928-close@bugs.debian.org (full text, mbox, reply):
Source: gnupg2
Source-Version: 2.0.9-1
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive:
gnupg-agent_2.0.9-1_amd64.deb
to pool/main/g/gnupg2/gnupg-agent_2.0.9-1_amd64.deb
gnupg2_2.0.9-1.diff.gz
to pool/main/g/gnupg2/gnupg2_2.0.9-1.diff.gz
gnupg2_2.0.9-1.dsc
to pool/main/g/gnupg2/gnupg2_2.0.9-1.dsc
gnupg2_2.0.9-1_amd64.deb
to pool/main/g/gnupg2/gnupg2_2.0.9-1_amd64.deb
gnupg2_2.0.9.orig.tar.gz
to pool/main/g/gnupg2/gnupg2_2.0.9.orig.tar.gz
gpgsm_2.0.9-1_amd64.deb
to pool/main/g/gnupg2/gpgsm_2.0.9-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 472928@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated gnupg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 29 Mar 2008 03:21:21 -0400
Source: gnupg2
Binary: gnupg-agent gpgsm gnupg2
Architecture: source amd64
Version: 2.0.9-1
Distribution: unstable
Urgency: low
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description:
gnupg-agent - GNU privacy guard - password agent
gnupg2 - GNU privacy guard - a free PGP replacement
gpgsm - GNU privacy guard - S/MIME version
Closes: 472928
Changes:
gnupg2 (2.0.9-1) unstable; urgency=low
.
* New upstream release. Fixes CVE-2008-1530, Key import memory corruption.
(Closes: #472928)
* debian/rules: Don't ignore status of make distclean, just check for
the existance of the Makefile.
Files:
01fcf3190620c59e3f841f28a9efe662 970 utils optional gnupg2_2.0.9-1.dsc
3b6b1742509f396d51528e0cd4c76a13 5198703 utils optional gnupg2_2.0.9.orig.tar.gz
57216c662fdfe9fd1f0e892a281f7089 38347 utils optional gnupg2_2.0.9-1.diff.gz
983bbc8892d1dc420f679b55f5aadb7f 310702 utils optional gnupg-agent_2.0.9-1_amd64.deb
3cec607f4b52e24355558da886f33588 454866 utils optional gpgsm_2.0.9-1_amd64.deb
c78c2285b9f80e892d305b7067e32da7 2155384 utils optional gnupg2_2.0.9-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH7fLmYemOzxbZcMYRAvQWAKCiv0jqbPZqSTUFoeko2ZKUclpycACgxQJX
OwBl5Dt0cdsXy8QNOtuVjKU=
=dP6x
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 30 Apr 2008 07:36:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:31:26 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon