Debian Bug report logs -
#738509
python-gnupg: CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 10 Feb 2014 05:33:01 UTC
Severity: grave
Tags: security, upstream
Fixed in versions python-gnupg/0.3.6-1, python-gnupg/0.3.6-1~deb7u1
Done: Elena Grandi <elena.valhalla@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Elena Grandi <elena.valhalla@gmail.com>:
Bug#738509; Package src:python-gnupg.
(Mon, 10 Feb 2014 05:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Elena Grandi <elena.valhalla@gmail.com>.
(Mon, 10 Feb 2014 05:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-gnupg
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerabilities were published for python-gnupg.
CVE-2013-7323[0]:
Unrestricted use of unquoted strings in a shell
CVE-2014-1927[1]:
Erroneous assumptions about the usability of " characters
CVE-2014-1928[2]:
Erroneous insertion of a \ character
allowing shell injection in python-gnupg.
Plase see the treat on oss-security about more details for each of
these isues[3]. Note I have not (yet) checked which of the three CVEs
still apply to the 0.3.5 version.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7323
http://security-tracker.debian.org/tracker/CVE-2013-7323
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1927
http://security-tracker.debian.org/tracker/CVE-2014-1927
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1928
http://security-tracker.debian.org/tracker/CVE-2014-1928
[3] http://www.openwall.com/lists/oss-security/2014/02/09/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Elena Grandi <elena.valhalla@gmail.com>:
Bug#738509; Package src:python-gnupg.
(Mon, 10 Feb 2014 09:15:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Elena ``of Valhalla'' <valhalla@trueelena.org>:
Extra info received and forwarded to list. Copy sent to Elena Grandi <elena.valhalla@gmail.com>.
(Mon, 10 Feb 2014 09:15:08 GMT) (full text, mbox, link).
Message #10 received at 738509@bugs.debian.org (full text, mbox, reply):
Control: tags 738404 + pending
The CVEs should be fixed in upstream version 0.3.6 for which I've
prepared a package (just submitted to my usual sponsor)
I'm working on backporting the fixes to the 0.3.0 version in stable
--
Elena ``of Valhalla''
Added tag(s) pending.
Request was from Elena Grandi <elena.valhalla@gmail.com>
to control@bugs.debian.org.
(Mon, 10 Feb 2014 10:03:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Elena Grandi <elena.valhalla@gmail.com>:
Bug#738509; Package src:python-gnupg.
(Wed, 12 Feb 2014 21:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Elena Grandi <elena.valhalla@gmail.com>.
(Wed, 12 Feb 2014 21:27:04 GMT) (full text, mbox, link).
Message #17 received at 738509@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 python-gnupg: CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929
Hi,
On Mon, Feb 10, 2014 at 10:02:53AM +0100, Elena ``of Valhalla'' wrote:
> Control: tags 738404 + pending
>
> The CVEs should be fixed in upstream version 0.3.6 for which I've
> prepared a package (just submitted to my usual sponsor)
And one more CVE was assigned by MITRE: CVE-2014-1929, see [1] for
the assignment.
[1] http://marc.info/?l=oss-security&m=139222212821142&w=2
Regards,
Salvatore
Changed Bug title to 'python-gnupg: CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929' from 'python-gnupg: CVE-2013-7323 CVE-2014-1927 CVE-2014-1928'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 738509-submit@bugs.debian.org.
(Wed, 12 Feb 2014 21:27:04 GMT) (full text, mbox, link).
Reply sent
to Elena Grandi <elena.valhalla@gmail.com>:
You have taken responsibility.
(Sat, 22 Feb 2014 12:21:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 22 Feb 2014 12:21:11 GMT) (full text, mbox, link).
Message #24 received at 738509-close@bugs.debian.org (full text, mbox, reply):
Source: python-gnupg
Source-Version: 0.3.6-1
We believe that the bug you reported is fixed in the latest version of
python-gnupg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 738509@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Elena Grandi <elena.valhalla@gmail.com> (supplier of updated python-gnupg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 06 Feb 2014 09:52:10 +0100
Source: python-gnupg
Binary: python-gnupg python3-gnupg
Architecture: source all
Version: 0.3.6-1
Distribution: unstable
Urgency: high
Maintainer: Elena Grandi <elena.valhalla@gmail.com>
Changed-By: Elena Grandi <elena.valhalla@gmail.com>
Description:
python-gnupg - Python wrapper for the Gnu Privacy Guard (Python 2.x)
python3-gnupg - Python wrapper for the Gnu Privacy Guard (Python 3.x)
Closes: 736496 738509
Changes:
python-gnupg (0.3.6-1) unstable; urgency=high
.
* New upstream release. Closes: #738509, #736496.
* CVE-2014-1928 (Erroneous insertion of a \ character) fixed upstream
* CVE-2014-1927 (Erroneous assumptions about the usability of " characters)
fixed upstream
* CVE-2013-7323 (Unrestricted use of unquoted strings in a shell)
fixed upstream
* Updated watch file for new download source (pypi).
* Updated standard versions to 3.9.5 (no change needed).
* Removed use_quick_random_for_gnupg_1.patch (applied upstream).
* Updated project homepage
Checksums-Sha1:
faf788007e68b2b3b57ffc3be7d7396d8d554de5 1461 python-gnupg_0.3.6-1.dsc
4661039e19e357bfd310bd067b212475c8fffb7e 20855 python-gnupg_0.3.6.orig.tar.gz
5a17e31c5a8740367df7f5040bba6061332c0216 4168 python-gnupg_0.3.6-1.debian.tar.xz
84544a5878ab763ac9e4321d9a64671bf14c4c0c 14692 python-gnupg_0.3.6-1_all.deb
8ccf0f119dfdd3185cdb4f3db97df193337b3336 14742 python3-gnupg_0.3.6-1_all.deb
Checksums-Sha256:
6677b838771bed589768dcc22532f47ed2cb87fad9a6275025c75569b30380f0 1461 python-gnupg_0.3.6-1.dsc
ffdfad1824fbde8ab94c50e08040edd6a82b4095c187994954471a38c45a094a 20855 python-gnupg_0.3.6.orig.tar.gz
33591966f27beeaeedb3cb076151f22e4188bf18c201501109e1b76845b944fb 4168 python-gnupg_0.3.6-1.debian.tar.xz
3ec9563f19a2fe471459565131618e1b5e83415740f6ff5b2db81e7ec0c8448c 14692 python-gnupg_0.3.6-1_all.deb
7a4423cf31ac5e81cae8d2bc340a090def69c1500a4f2f5c8baf3543428ebb3c 14742 python3-gnupg_0.3.6-1_all.deb
Files:
0a52e80065f0c26be810492ba50f7a7b 1461 python optional python-gnupg_0.3.6-1.dsc
27415bead227e8c6906900b7c777120c 20855 python optional python-gnupg_0.3.6.orig.tar.gz
c61b5b0aeccef7dc9b199c381cad2bc3 4168 python optional python-gnupg_0.3.6-1.debian.tar.xz
1708ad88a4526504432d5abd3bb34dfb 14692 python optional python-gnupg_0.3.6-1_all.deb
9ce572368a662c6442e9c7a1934082df 14742 python optional python3-gnupg_0.3.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlMIlCgACgkQNFDtUT/MKpB6VgCg4yf2kpyj/gY7/0mcET9V0BxF
aFEAoOZPrW+1cUhHPUvsFr1p5yq0YFlv
=7pWO
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Elena Grandi <elena.valhalla@gmail.com>:
Bug#738509; Package src:python-gnupg.
(Mon, 14 Apr 2014 15:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Elena Grandi <elena.valhalla@gmail.com>.
(Mon, 14 Apr 2014 15:06:04 GMT) (full text, mbox, link).
Message #29 received at 738509@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 10, 2014 at 10:02:53AM +0100, Elena ``of Valhalla'' wrote:
> Control: tags 738404 + pending
>
> The CVEs should be fixed in upstream version 0.3.6 for which I've
> prepared a package (just submitted to my usual sponsor)
>
> I'm working on backporting the fixes to the 0.3.0 version in stable
Hi,
what's the status?
If the backports are too intrusive, we can also consider to upgrade
the version in wheezy to 0.3.6 as long as the interface remains
stable (but it's a leaf package anyway)
Cheers,
Moritz
Marked as fixed in versions python-gnupg/0.3.6-1~deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 04 Jun 2014 17:21:18 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 13 Jul 2014 07:25:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:53:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon