Debian Bug report logs -
#756651
gpgme1.0: CVE-2014-3564: heap-based buffer overflow in gpgsm status handler
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 31 Jul 2014 19:48:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions gpgme1.0/1.5.0-0.1, gpgme1.0/1.2.0-1.2
Fixed in versions gpgme1.0/1.5.1-1, gpgme1.0/1.2.0-1.4+deb7u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#756651; Package src:gpgme1.0.
(Thu, 31 Jul 2014 19:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>.
(Thu, 31 Jul 2014 19:48:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpgme1.0
Version: 1.5.0-0.1
Severity: grave
Tags: security upstream fixed-upstream patch
Hi,
the following vulnerability was published for gpgme1.0. (filling with
severity grave, but not sure if this can only be used for DoS).
CVE-2014-3564[0]:
heap-based buffer overflow in gpgsm status handler
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-3564
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1113267
[2] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions gpgme1.0/1.5.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 05 Aug 2014 05:18:05 GMT) (full text, mbox, link).
Marked as found in versions gpgme1.0/1.2.0-1.2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 14 Aug 2014 11:15:08 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 20 Aug 2014 19:03:29 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 20 Aug 2014 19:03:29 GMT) (full text, mbox, link).
Message #14 received at 756651-close@bugs.debian.org (full text, mbox, reply):
Source: gpgme1.0
Source-Version: 1.2.0-1.4+deb7u1
We believe that the bug you reported is fixed in the latest version of
gpgme1.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 756651@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gpgme1.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Aug 2014 09:39:43 +0200
Source: gpgme1.0
Binary: libgpgme11-dev libgpgme11
Architecture: source amd64
Version: 1.2.0-1.4+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libgpgme11 - GPGME - GnuPG Made Easy
libgpgme11-dev - GPGME - GnuPG Made Easy
Closes: 756651
Changes:
gpgme1.0 (1.2.0-1.4+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-3564.dpatch patch.
CVE-2014-3564: heap-based buffer overflow in gpgsm status handler.
(Closes: #756651)
Checksums-Sha1:
1f40d73a32eb234c070e623594a0ae0b39d1af19 1931 gpgme1.0_1.2.0-1.4+deb7u1.dsc
21ac8faf6cd47162940d576cf1b9a8c245e8424e 1114846 gpgme1.0_1.2.0.orig.tar.gz
5aee0778bbcea3a742c156d9a22b54bc20715452 593932 gpgme1.0_1.2.0-1.4+deb7u1.diff.gz
4c82fb93c2ebc145321ab0d7a216021b74433fe3 586258 libgpgme11-dev_1.2.0-1.4+deb7u1_amd64.deb
ac34a3ed134f2bac1671cd94866b549ef9b0989c 349076 libgpgme11_1.2.0-1.4+deb7u1_amd64.deb
Checksums-Sha256:
2108b886272fe8d5d22d9a33d38eaf5f8ee9f9c3453892b3ea143480575295cc 1931 gpgme1.0_1.2.0-1.4+deb7u1.dsc
b57e48e71ca507ef7ec1acc2370e007dee36a60ac26699102f35a4312c121f77 1114846 gpgme1.0_1.2.0.orig.tar.gz
20a553e8ccf3254588be1b376a75d5f4fc0e0b488f14f6e98d6ccd7ba7e85cd7 593932 gpgme1.0_1.2.0-1.4+deb7u1.diff.gz
c3403e8e63626a85b545ca63c006725b9aeb73c4e65140bd1ad55c974dfb34b0 586258 libgpgme11-dev_1.2.0-1.4+deb7u1_amd64.deb
d49c90be3857cc89b8fc200191dffba76e65f82200f64696df4e861d558ab6c0 349076 libgpgme11_1.2.0-1.4+deb7u1_amd64.deb
Files:
91ad91fb06e22ea4cda727da9bd86662 1931 libdevel optional gpgme1.0_1.2.0-1.4+deb7u1.dsc
3164bbbd49f94863f2849f39c343521e 1114846 libdevel optional gpgme1.0_1.2.0.orig.tar.gz
4b6e892f75f65b99234b18bfefd25587 593932 libdevel optional gpgme1.0_1.2.0-1.4+deb7u1.diff.gz
0277a180ace8c44e79d2a3f9f400b2d7 586258 libdevel optional libgpgme11-dev_1.2.0-1.4+deb7u1_amd64.deb
c8b0f58acbc95ef178785bcf5c13e70b 349076 libs optional libgpgme11_1.2.0-1.4+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJT7HvVAAoJEAVMuPMTQ89EUWgP/3ti0VJE14Z0Dif9S+rr7ALA
FHnQhC9Xl/ydi8UfiESF4HB00X+f73AyW2bQZudWe/cg/SztHSUA+57lxe8gZ+56
5E3nUoRhF3hMbLDBXmKHavM8AV07VDG/o/txI63y9nBUFdyPMIzClZ0AAg764onX
11FHN5sjJV9Q6DHrIm2+Kch4qHpPKUTLBwduYsaOhfUOrJK8jXcKUoLmoOSRF9Ja
utvfv+HsiJ6Wssps4GX3kb+TwUcLALmMsOjXeb7PjkxUYjLmtFvpb9sOc/AoaMJf
DX/spK21sKYCctyK0y/v92AKUMqlEMR/j+UOVmC22/4dYwF8AvCPUc+Nn6vsvJB/
ChkojQmVB9+WFYhYE4n+gAgsHePPASyiyTJlAbxRoGN+H4W0Xb0VA1W//yCXdPbg
+W5MYPkhZymJWTVwGyHJmQPWLq7ft2iL8zgmweXTi8wnZUMsD3eg7DfUuvHJlkxI
ME7R9O9MPlN2HZ0NLQNFFGMH/cfD2JDibydNp9sxDJcdz+/W2aGJW2ddh/Xb3Nyu
NEko2oSubiyt6Bd9NiSnwqBPP2z2Hjes/GNziu1Z3gc7pRonFD6+cwOoskQD0s25
D1pFsTu6Jjnx2rp6HJc2VQv/tUQK23aiJPCKcB5BtNJN7ZlXU+ItGUrkpayJ7KjO
LWMZ5xaV2XHKxNlSGdty
=eS/1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 27 Oct 2014 07:33:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:27:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon