CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG

Debian Bug report logs - #778577
CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG

Date: Mon, 16 Feb 2015 18:09:18 -0500

[Message part 1 (text/plain, inline)]

Package: gnupg2
Version: 2.0.14-2
Tags: security
Control: notfound -1 2.1.2-1

Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck
as part of the Fuzzing Project:

  https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html

These changes are in upstream git, but have not been rolled into an
official release yet, except for 2.1.2 on the upstream "modern" branch.

I believe they go back as far as the version in squeeze, possibly
farther.

         --dkg

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 778577@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 778577@bugs.debian.org

Subject: Re: Bug#778577: CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG

Date: Tue, 17 Feb 2015 06:27:20 +0100

Control: fixed -1 2.1.2-1

Hi Daniel,

On Mon, Feb 16, 2015 at 06:09:18PM -0500, Daniel Kahn Gillmor wrote:
> Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck
> as part of the Fuzzing Project:

Have you checked if gnupg 1.4.x is also affected by both of these
CVEs? We have marked gnupg as "undetermined" so far in the
security-tracker.

Regards,
Salvatore

Message #19 received at 778577@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Salvatore Bonaccorso <carnil@debian.org>, 778577@bugs.debian.org

Subject: Re: Bug#778577: CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG

Date: Tue, 17 Feb 2015 12:26:51 -0500

[Message part 1 (text/plain, inline)]

On Tue 2015-02-17 00:27:20 -0500, Salvatore Bonaccorso wrote:
> Control: fixed -1 2.1.2-1
>
> Hi Daniel,
>
> On Mon, Feb 16, 2015 at 06:09:18PM -0500, Daniel Kahn Gillmor wrote:
>> Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck
>> as part of the Fuzzing Project:
>
> Have you checked if gnupg 1.4.x is also affected by both of these
> CVEs? We have marked gnupg as "undetermined" so far in the
> security-tracker.

Yes, gpg 1.4.x is also affected.  In particular, CVE-2015-1606 is known
to affect it.  The demonstration vector we have for CVE-2015-1607 is a
keybox file, which is not supported by gpg 1.4.x, but the underlying fix
(normalizing bitshift operations) seems like it should apply to 1.4.x as
well.

I'm not sure how to represent this in the BTS; should i clone this and
reassign it to the gnupg package, or is there a way to make this bug
report apply to both gnupg and gnupg2?

I'm working today on getting patches for both the 2.0.x and 1.4.x
branches.

        --dkg

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 778577@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 778577@bugs.debian.org

Subject: Re: Bug#778577: CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG

Date: Tue, 17 Feb 2015 22:33:10 +0100

Hi Daniel,

On Tue, Feb 17, 2015 at 12:26:51PM -0500, Daniel Kahn Gillmor wrote:
> On Tue 2015-02-17 00:27:20 -0500, Salvatore Bonaccorso wrote:
> > Control: fixed -1 2.1.2-1
> >
> > Hi Daniel,
> >
> > On Mon, Feb 16, 2015 at 06:09:18PM -0500, Daniel Kahn Gillmor wrote:
> >> Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck
> >> as part of the Fuzzing Project:
> >
> > Have you checked if gnupg 1.4.x is also affected by both of these
> > CVEs? We have marked gnupg as "undetermined" so far in the
> > security-tracker.
> 
> Yes, gpg 1.4.x is also affected.  In particular, CVE-2015-1606 is known
> to affect it.  The demonstration vector we have for CVE-2015-1607 is a
> keybox file, which is not supported by gpg 1.4.x, but the underlying fix
> (normalizing bitshift operations) seems like it should apply to 1.4.x as
> well.

Thanks, I'm updating the security tracker information right now.

> I'm not sure how to represent this in the BTS; should i clone this and
> reassign it to the gnupg package, or is there a way to make this bug
> report apply to both gnupg and gnupg2?

Yes, just clone this bug, reassign to src:gnupg and mark found
versions.

Thank you for your quick reply and confirmation!

Regards,
Salvatore

Message #29 received at 778577-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 778577-close@bugs.debian.org

Subject: Bug#778577: fixed in gnupg2 2.0.26-5

Date: Tue, 17 Feb 2015 22:03:41 +0000

Source: gnupg2
Source-Version: 2.0.26-5

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778577@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 16 Feb 2015 17:45:06 -0500
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg2 gpgv2
Architecture: source
Version: 2.0.26-5
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
 gnupg-agent - GNU privacy guard - password agent
 gnupg2     - GNU privacy guard - a free PGP replacement (new v2.x)
 gpgsm      - GNU privacy guard - S/MIME version
 gpgv2      - GNU privacy guard - signature verification tool (new v2.x)
 scdaemon   - GNU privacy guard - smart card support
Closes: 773415 773423 773469 773471 773472 778577
Changes:
 gnupg2 (2.0.26-5) unstable; urgency=medium
 .
   * import bug-fixes from upstream
     (Closes: #773415, #773469, #773471, #773472, #773423)
   * Fixes CVE-2015-1606 "Use after free, resulting from failure to skip
     invalid packets", CVE-2015-1607 "memcpy with overlapping ranges,
     resulting from incorrect bitwise left shifts" (Closes: #778577)
Checksums-Sha1:
 4fa69a3d72e4f7ac5e8bafb9f799ed9c0f18e3c9 2547 gnupg2_2.0.26-5.dsc
 b727cc5ce9af93d4184202ee61c9ced2f6d8cced 385299 gnupg2_2.0.26-5.debian.tar.bz2
Checksums-Sha256:
 35eedba060463f02b8387c7949a45f8d0d7144e980870048bff11c9389207f5c 2547 gnupg2_2.0.26-5.dsc
 970e224a6989717f8e4f9c4c379066a4ae7914ee7d96c627ef53871f698c0e7b 385299 gnupg2_2.0.26-5.debian.tar.bz2
Files:
 992e2592fa562675d01721f6f54602a8 2547 utils optional gnupg2_2.0.26-5.dsc
 3880595c81897064d6b75a9edd6fc223 385299 utils optional gnupg2_2.0.26-5.debian.tar.bz2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJU47ZQXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB
NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcevcQAMYREynNi5+RT2/HjU45LKkt
OWIKV4EMUXEB3dVujVlWoiKrn2rqiV50B0BrKgRSoqndeeSdyx+CuS8CFZ0sqFNH
55dAt9Qfo/WsUWCiPcVg7EVinYF/nJG6ZmoFWvnPqNR6zXPCRd3rkWHVXEy4AIoL
iXo3z7ZM5VEZxwPHavuBSdOu8bfPB6oIh7AHmNHqCz60qeWCjUqJSq1sMGGzGh+x
+XnvhCsNz3cwVwjxG7TZENDvSso4OMQWr5HkccGSxNZNQNBuRTwVzxnEGRN0J87p
pyLiaHNBZoHyK0jT4NX4Knlwb6/B9/lS2QyuhJ2pJvWFbBGWQ9FhiVrH5m1pX94M
4VcwTuY685p4E8REV+wVEiOA+MlVnLF8PLvBuYDy55nWZVfg4iU6HUzAojnRTS6c
jkcqzWRIYSxSxw1JV/2z8XJZifgnpihy6nHtKptIIMtqxEZuLfpv7wxLqzUmGk3u
ZoHYDtigpAH+K8nnV9Mwe6TRS1kugnFWngj1TZxboJNiSMDYsFJITMi9Nv2BzoQr
hqvS61UHVb1yBlTcinZVX6sEIjcI45/PKa6Qb4cFg6uObkmOgSVmT+1Yp0eDsvO2
tK76BTx0g9AOC4JAIsuq6M46fbFlWEEMxohl0Pe7hQ5uL+jjx73LPw7GEkDiE1EM
l15PDCqWUJTw0nxGxfe7
=oAqf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.