gnupg key import memory corruption

Debian Bug report logs - #697108
gnupg key import memory corruption

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnupg key import memory corruption

Date: Tue, 01 Jan 2013 15:28:21 +0100

Package: gnupg
Version: 1.4.12-6
Severity: grave
Tags: security

Please see http://seclists.org/bugtraq/2012/Dec/151    

Cheers,
        Moritz

Message #10 received at 697108@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 697108@bugs.debian.org

Subject: Re: gnupg key import memory corruption

Date: Wed, 2 Jan 2013 08:16:00 +0100

On Tue, Jan 01, 2013 at 03:28:21PM +0100, Moritz Muehlenhoff wrote:
> Package: gnupg
> Version: 1.4.12-6
> Severity: grave
> Tags: security
> 
> Please see http://seclists.org/bugtraq/2012/Dec/151    

This was assigned CVE-2012-6085

Cheers,
        Moritz

Message #15 received at 697108@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: Debian Bug Tracking System <697108@bugs.debian.org>

Subject: Re: gnupg key import memory corruption

Date: Wed, 02 Jan 2013 13:18:38 +0100

Package: gnupg
Version: 1.4.12-6
Followup-For: Bug #697108

Hi,

the patch can be easily retrieved from the upstream git repository. It can
be downloaded from [1]. I am tagging this bug report with "patch".

Cheers,

Adrian

> [1] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=f795a0d59e197455f8723c300eebf59e09853efa

Message #20 received at 697108-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 697108-close@bugs.debian.org

Subject: Bug#697108: fixed in gnupg 1.4.12-7

Date: Wed, 02 Jan 2013 19:47:41 +0000

Source: gnupg
Source-Version: 1.4.12-7

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697108@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 02 Jan 2013 19:48:36 +0100
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.12-7
Distribution: unstable
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 697108
Changes: 
 gnupg (1.4.12-7) unstable; urgency=high
 .
   * Apply upstream patch to fix memory and key database corruption
     when importing with invalid keys (CVE-2012-6085, closes: #697108).
Checksums-Sha1: 
 ea6278a011e2592ce8939db93c7cec154211a294 1962 gnupg_1.4.12-7.dsc
 ff054dc49db8081005e25c06261945f4d1ec5c3e 92800 gnupg_1.4.12-7.debian.tar.gz
 966d4fbf2c8fb6614754c22055a7d0cd79508a85 613124 gpgv-win32_1.4.12-7_all.deb
 1d6c54db10ac72a00bdb3d5085b30a69059328d4 1952176 gnupg_1.4.12-7_amd64.deb
 5278ed4a67fe518879e2f60d94330a60057c2295 63242 gnupg-curl_1.4.12-7_amd64.deb
 e9cae08ac46db0c05059443468d2627f71f862bb 225926 gpgv_1.4.12-7_amd64.deb
 f43a559f7060eaa2a3d39636221c9e68a3c75768 352692 gnupg-udeb_1.4.12-7_amd64.udeb
 0439f07da5b2ba286840fbadfa27cde45de590c2 129402 gpgv-udeb_1.4.12-7_amd64.udeb
Checksums-Sha256: 
 000fe943a73fb86289902f49e331c8144514c8079785ed72d6fb5dc07fe3d67c 1962 gnupg_1.4.12-7.dsc
 95c339745e3fde8ad21aad39c1b83ce318fea348cab2d6f3437ef1ac7df549ab 92800 gnupg_1.4.12-7.debian.tar.gz
 9259a0d601f773fc9805859a7f94f43bae0b70bfdfbe0c2e782ee1fcb41ded88 613124 gpgv-win32_1.4.12-7_all.deb
 6fb862ee92eae7b061295edb7855b52d52b40b16d0e67bc8d14fb92818d1480f 1952176 gnupg_1.4.12-7_amd64.deb
 e62116d0a532c92590379d04c8f2dce6274bb03e25d5e6d628c8219f91254a8b 63242 gnupg-curl_1.4.12-7_amd64.deb
 080f1fa0efa0460480a4d77cc9b8ab7558276107cae785e42af48f51f1bb2dd4 225926 gpgv_1.4.12-7_amd64.deb
 a09272e3bc0a2eb902f217d1990ef6ba231a0d007202990da37544b10a074d20 352692 gnupg-udeb_1.4.12-7_amd64.udeb
 01b1906f2b1b7d8862aa78c563a2ed5ce73f6f8d2f3a8bc5f45738e0da566bd4 129402 gpgv-udeb_1.4.12-7_amd64.udeb
Files: 
 471c8300380725eb75f6123fad50bf39 1962 utils important gnupg_1.4.12-7.dsc
 8d52378d6cebc32ec40c9726f120cf74 92800 utils important gnupg_1.4.12-7.debian.tar.gz
 1b7686045456041e3538927dc7cf002d 613124 utils extra gpgv-win32_1.4.12-7_all.deb
 6f3dc49ad3163c9c540029b83f2e52ca 1952176 utils important gnupg_1.4.12-7_amd64.deb
 de16b9c8b05362038b5dc325699319fd 63242 utils optional gnupg-curl_1.4.12-7_amd64.deb
 3d39469bb35082e70bcd486142bcfe82 225926 utils important gpgv_1.4.12-7_amd64.deb
 6b569206c73b0e6e45960b885b59366f 352692 debian-installer extra gnupg-udeb_1.4.12-7_amd64.udeb
 16fdc77ddad0f7a0a9e387273f5cfcef 129402 debian-installer extra gpgv-udeb_1.4.12-7_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJQ5IttAAoJEFb2GnlAHawEnWwH/A2huLhSAuFsLJnMcAMaVqZl
dW6WAFJzJ9eHV4+qtK2tkt23X5Zu7nPZXNeDFT2o7gwApU7SMfJL5kDan/7z+Lx+
HybHFRAstuySNA1wNiyRGWmAoWLRHBmDMTBNQpJJKuGpbv9GlbNvIOWk2qXVNtHo
Oc5kqpUzFE0ilmRpj0T4oyIAV1cU3PLWogKdoD8uy2DgO0CHOfHf+F8ccmmhC9/H
WibvWK+L82h7AKHfA8sA/v/uYpwoSrf3bJNtG/eKtxzF7kHFMc7iVnlKQI4uhB02
I5D90boxRG8IJDtTMj9dFx6fMa7HD9H+jz32xVmfFSNcxqwe/1oy949bom7Mdbc=
=TBRw
-----END PGP SIGNATURE-----

Message #25 received at 697108@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: Debian Bug Tracking System <697108@bugs.debian.org>

Subject: Re: gnupg key import memory corruption

Date: Wed, 02 Jan 2013 20:53:30 +0100

[Message part 1 (text/plain, inline)]

Package: gnupg
Version: 1.4.12-6
Followup-For: Bug #697108

Attaching proposed debdiff. Would do an NMU to fix the problem
upon permission.

Cheers,

Adrian

[gnupg-1.4.12-6.1.diff (text/x-diff, attachment)]

Message #30 received at 697108@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "John Paul Adrian Glaubitz" <glaubitz@physik.fu-berlin.de>, 697108@bugs.debian.org

Subject: Re: [Pkg-gnupg-maint] Bug#697108: gnupg key import memory corruption

Date: Wed, 2 Jan 2013 21:30:16 +0100

On Wed, January 2, 2013 20:53, John Paul Adrian Glaubitz wrote:
> Package: gnupg
> Version: 1.4.12-6
> Followup-For: Bug #697108
>
> Attaching proposed debdiff. Would do an NMU to fix the problem
> upon permission.

Thanks for your offer! However, I just uploaded an update to gnupg along
the same lines earlier tonight, so it won't be necessary.


Cheers,
Thijs

Message #35 received at 697108@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 697108@bugs.debian.org

Subject: Re: [Pkg-gnupg-maint] Bug#697108: gnupg key import memory corruption

Date: Wed, 2 Jan 2013 21:33:52 +0100

On Wed, Jan 02, 2013 at 09:30:16PM +0100, Thijs Kinkhorst wrote:
> On Wed, January 2, 2013 20:53, John Paul Adrian Glaubitz wrote:
> > Package: gnupg
> > Version: 1.4.12-6
> > Followup-For: Bug #697108
> >
> > Attaching proposed debdiff. Would do an NMU to fix the problem
> > upon permission.
> 
> Thanks for your offer! However, I just uploaded an update to gnupg along
> the same lines earlier tonight, so it won't be necessary.

Yeah, you were 6 minutes faster than me :). I am happy anyways the
issue has been addressed. Thanks a lot for your quick response!

Cheers,

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Message #40 received at 697108@bugs.debian.org (full text, mbox, reply):

From: Werner Koch <wk@gnupg.org>

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

Cc: 697108@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>

Subject: Re: Bug#697108: [Pkg-gnupg-maint] Bug#697108: gnupg key import memory corruption

Date: Thu, 03 Jan 2013 16:31:59 +0100

On Wed,  2 Jan 2013 21:33, glaubitz@physik.fu-berlin.de said:

> Yeah, you were 6 minutes faster than me :). I am happy anyways the
> issue has been addressed. Thanks a lot for your quick response!

Please note that the problem also exists in 2.0 - a quite similar patch
is in the GIT (or try the one from 1.4)


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Message #45 received at 697108-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 697108-close@bugs.debian.org

Subject: Bug#697108: fixed in gnupg 1.4.10-4+squeeze1

Date: Sun, 06 Jan 2013 23:17:05 +0000

Source: gnupg
Source-Version: 1.4.10-4+squeeze1

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697108@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 02 Jan 2013 20:43:39 +0100
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb
Architecture: source amd64
Version: 1.4.10-4+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
Closes: 697108
Changes: 
 gnupg (1.4.10-4+squeeze1) stable-security; urgency=high
 .
   * Apply upstream patch to fix memory and key database corruption
     when importing with invalid keys (CVE-2012-6085, closes: #697108).
Checksums-Sha1: 
 71f37ec4c4d86055f13bd73140fe0fb9bec220b3 1737 gnupg_1.4.10-4+squeeze1.dsc
 0db579b2dc202213424f55243906b71228dd18d1 4747259 gnupg_1.4.10.orig.tar.gz
 f33b218e4a82dc4a471180ca082490483e3cffd2 30669 gnupg_1.4.10-4+squeeze1.diff.gz
 cb7796c3c680ce8f09d188d7b633ef3a0ba74103 2147792 gnupg_1.4.10-4+squeeze1_amd64.deb
 cf90721469541e80b8ab5f473ef79d9a07d2b052 74720 gnupg-curl_1.4.10-4+squeeze1_amd64.deb
 5ce4a346e269ddfc6f3f8ed2c6a908170087b4f9 221658 gpgv_1.4.10-4+squeeze1_amd64.deb
 b50aadde91e6e878f852486d9f01036fd0ad2944 413368 gnupg-udeb_1.4.10-4+squeeze1_amd64.udeb
 d3dd6c36a8bcd3c33e6befd673452ea939e58e9c 149522 gpgv-udeb_1.4.10-4+squeeze1_amd64.udeb
Checksums-Sha256: 
 388e774c907386a8bedf17fab7c229bc5c9ba3e7435c8779e0d968aa4a852c4f 1737 gnupg_1.4.10-4+squeeze1.dsc
 055e92b6735fb82a6c9f7d506cdd01ae7a733a1f3793d3694083e1f283f5e914 4747259 gnupg_1.4.10.orig.tar.gz
 18ffc6bbf313d91beb16c05ddc0e249e91ddf1b80aa31645843e6473e4e9b406 30669 gnupg_1.4.10-4+squeeze1.diff.gz
 23095d1a7f0d5f5ae8399e58d207dafda631270c7150180dc2f359c91a6490cd 2147792 gnupg_1.4.10-4+squeeze1_amd64.deb
 29164e139b1ffb8a04e16184930e8166bd061d26e4a599d9863da8ae27d2687b 74720 gnupg-curl_1.4.10-4+squeeze1_amd64.deb
 c945456419879de35ead318a4daf0371fa6e4a31e93c4abc88f376e65be3f4f9 221658 gpgv_1.4.10-4+squeeze1_amd64.deb
 4d49fb067b26a5fd54a475fa22de8743f264547de49c0c3255daa190ecf65282 413368 gnupg-udeb_1.4.10-4+squeeze1_amd64.udeb
 7757fd546e4a685617f67f22ab1b0f50ae379b895dc159ec029bbeac07fda309 149522 gpgv-udeb_1.4.10-4+squeeze1_amd64.udeb
Files: 
 7089bee710f73197e32012cc21136a0d 1737 utils important gnupg_1.4.10-4+squeeze1.dsc
 991faf66d3352ac1452acc393c430b23 4747259 utils important gnupg_1.4.10.orig.tar.gz
 cbebdca9254fdca6b7c65c2248179ac0 30669 utils important gnupg_1.4.10-4+squeeze1.diff.gz
 592f297378628f0e586aa5d937b3c239 2147792 utils important gnupg_1.4.10-4+squeeze1_amd64.deb
 efc342f97fd9874f6af2a22ebf4286d5 74720 utils optional gnupg-curl_1.4.10-4+squeeze1_amd64.deb
 add5d9bbb97282efd5b3219ace0b63cb 221658 utils important gpgv_1.4.10-4+squeeze1_amd64.deb
 887984cbabece6c5ab18d23c36171781 413368 debian-installer extra gnupg-udeb_1.4.10-4+squeeze1_amd64.udeb
 af2a49c65c884fc6a60de6f7e26e0945 149522 debian-installer extra gpgv-udeb_1.4.10-4+squeeze1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJQ5JWaAAoJEFb2GnlAHawECsEH+wVDPJ09mWGjrLrWB52+AQyZ
TUWtTbqrPbOh7wIeqJckCTZQ14UHEAFphLyXV2jJtO/sb4lMtvUExIqt3BtVS7vh
mVRguof0kvhk8cvoOh6/mRC5rpWkKoaMHfwx19jXbFBgNTLcUDYUJ9VQx7PI1Jes
Sug4wqqrar/uD3oR1UHYdhaNb/mgcws9lvOzlEy4wn/IXQEd7CLi8b7I1cujh6qe
QO4bgnFetJuZUQW8MB4L6O0A+D2tJxmiyrEMAfIEk1OPijR4GtMdz0eZTt5LHfBQ
e5sFo1XPECbkErnLgNtF65xYNVuLKcQ+g9afKt8gsh7xALv4Iwm+QYixtSnFLVw=
=6OfQ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.