gnupg: CVE-2014-4617: DoS due to garbled compressed data packets

Debian Bug report logs - #752497
gnupg: CVE-2014-4617: DoS due to garbled compressed data packets

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnupg: DoS due to garbled compressed data packets

Date: Tue, 24 Jun 2014 08:39:44 +0200

Source: gnupg
Version: 1.4.10-4
Severity: important
Tags: security upstream fixed-upstream

Hi

For reference it the BTS, gnupg 1.4.17 was released containing a fix
for a denial of service due to garbled compressed data packets[1].

 [1] http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html
 [2]  http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a

Regards,
Salvatore

Message #14 received at 752497-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 752497-close@bugs.debian.org

Subject: Bug#752497: fixed in gnupg 1.4.16-1.2

Date: Tue, 24 Jun 2014 21:35:01 +0000

Source: gnupg
Source-Version: 1.4.16-1.2

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 752497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Jun 2014 17:02:35 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.16-1.2
Distribution: unstable
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 752497
Changes:
 gnupg (1.4.16-1.2) unstable; urgency=high
 .
   * Non-maintainer upload with maintainers approval.
   * CVE-2014-4617: Avoid DoS due to garbled compressed data packets.
     Apply upstream commit to stop a possible DoS using garbled compressed
     data packets which can be used to put gpg into an infinite loop.
     (Closes: #752497)
Checksums-Sha1:
 ae7b458e3e6ba670e7dd384d802a4aa99949ca51 2357 gnupg_1.4.16-1.2.dsc
 2f1a1841e115cb1795a2cab6e85bdb59a9a17777 26304 gnupg_1.4.16-1.2.debian.tar.xz
 8cfc65694c2b6dffaec8b768a5eeaaab01e18b93 554394 gpgv-win32_1.4.16-1.2_all.deb
 7fba7b099eac444d5fd0a2f2946c13d5160a0508 1133248 gnupg_1.4.16-1.2_amd64.deb
 222124276101a422bb65328415acae5bf6ea3401 61808 gnupg-curl_1.4.16-1.2_amd64.deb
 41e6b870f88b398b4cda90b2edb32e9053c729f7 203930 gpgv_1.4.16-1.2_amd64.deb
 d4603906b919af8c1a01df78fb5df9481b3135bc 356804 gnupg-udeb_1.4.16-1.2_amd64.udeb
 c069a9e11561e26beb0a176b844a3ab79eedf2fa 131706 gpgv-udeb_1.4.16-1.2_amd64.udeb
Checksums-Sha256:
 e6b1ba501ec7cb65eea015b667ecd826a4fb2877941eea9c7072e4a99a7ed7c3 2357 gnupg_1.4.16-1.2.dsc
 a96064cc3888830527e2b464cfab27c8c1381e03a1e02a9d5a7b8133db77aad9 26304 gnupg_1.4.16-1.2.debian.tar.xz
 94044675a9ec32cf5cbb669847a4d8cc336ad4fa48752cd48c67ecf7c5339593 554394 gpgv-win32_1.4.16-1.2_all.deb
 ba27e1381bac0dfada510b679d45ca5e65f5edc3d2a73b065c039c04abe54f00 1133248 gnupg_1.4.16-1.2_amd64.deb
 42d0c033c5a7974a03e99c0076790a0cd0fee0fe24af3280194239e5383d1c31 61808 gnupg-curl_1.4.16-1.2_amd64.deb
 7406eebc048ca853adfa69502ac0c3e54ebb14f39915ec86fa28199f53400ef2 203930 gpgv_1.4.16-1.2_amd64.deb
 088f18240c4a9aebc017483f13090a08e0364e32ab3a49d2e6b008a2d2f66558 356804 gnupg-udeb_1.4.16-1.2_amd64.udeb
 75c04d83a7b449398a809a64def9de52dfd27e4f1471d32a98d2622f32334b7e 131706 gpgv-udeb_1.4.16-1.2_amd64.udeb
Files:
 158bf0295ca109d2e284ef5255424471 554394 utils extra gpgv-win32_1.4.16-1.2_all.deb
 27c36735cdda45c772f919cbdbf29741 1133248 utils important gnupg_1.4.16-1.2_amd64.deb
 85574af07dd1f28558848c9e11d74253 61808 utils optional gnupg-curl_1.4.16-1.2_amd64.deb
 b971fa9749cec80ee2587508347050fa 203930 utils important gpgv_1.4.16-1.2_amd64.deb
 0a1e6f94a0c2861abddbbf6f0d904d54 356804 debian-installer extra gnupg-udeb_1.4.16-1.2_amd64.udeb
 962f159660832265f1c336fdee0dfb67 131706 debian-installer extra gpgv-udeb_1.4.16-1.2_amd64.udeb
 e679c066263e43145e922012521eaec0 2357 utils important gnupg_1.4.16-1.2.dsc
 36f11376efcf34caefcc63edba4af12e 26304 utils important gnupg_1.4.16-1.2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTqdPiAAoJEAVMuPMTQ89EbbQP/i2pSrShHdU/1p2hFdQ90pv1
u066M5hpQGhBij3qTdN0UO1P8JHsUvrruykURT7GP0W2m74RWOy/P75xLCYBlFSC
t5pMczBtU4LP+3daUkkp+7LI8Y/T7O93Alf73pmR388zqHEa+onKTamtgGdeJe9R
/6/SPxmjGxLjHWmSTXmmuSMC3NmyYHUrb/HOLcgrdqMR2kC7RJnXXqFX0Q8LBKyv
fjb8nzW/+6vP4lCWp7W6Ko3eqQdjYF+Bv8ctJSiM4tpCbWQ1jw2jx/vzFv38EiE9
RiRH8rN0pZXCK0FP2P4BjyvKpgLzHXmHXdtBhIQ8lU4GoG4cd2Convfn2qk5X6lf
qRwpscQkdhxe7r2o8jevaftYOHN9AqtNE5cRIOwhHvq9DLDPPqAeLrwh5o6hFK1r
fuXESfehTLajMpeM7FgZfA8g4hQjztTRXuIWDxwsmX5K3kgoE0E2QWRRlUHN3KxZ
7cXeB16PUDPDhPDz0pFTKwN1cupVrqiUrFRvIx053wraopUHm7PW+agnko7EGRPC
OLs0g+l9QqtwDB+hUKoLw4q1ljmQMzUqRZ02YRB2CS3+irWfWgvjfeon6IuHf0Aa
GYhAhlOsKGkI+fyn0zAHnFR0tEwyacxvPxgZepyOr8OI4dwmqzLvpJvFzL1D8El0
yJnbA8bHK+oEpM4cpFl0
=lNfs
-----END PGP SIGNATURE-----

Message #19 received at 752497-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 752497-close@bugs.debian.org

Subject: Bug#752497: fixed in gnupg 1.4.12-7+deb7u4

Date: Sun, 29 Jun 2014 19:17:06 +0000

Source: gnupg
Source-Version: 1.4.12-7+deb7u4

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 752497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Jun 2014 11:21:36 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.12-7+deb7u4
Distribution: wheezy-security
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 752497
Changes: 
 gnupg (1.4.12-7+deb7u4) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2014-4617: Avoid DoS due to garbled compressed data packets.
     Apply upstream commit to stop a possible DoS using garbled compressed
     data packets which can be used to put gpg into an infinite loop.
     (Closes: #752497)
Checksums-Sha1: 
 61f290cbbafd310f455d9acac9e743b902711322 2324 gnupg_1.4.12-7+deb7u4.dsc
 bf4ac31553ac27d3709ed89acf55385c6f8004ac 104243 gnupg_1.4.12-7+deb7u4.debian.tar.gz
 0f056402e05f249064a371c2b5e29ca918f7e391 614400 gpgv-win32_1.4.12-7+deb7u4_all.deb
 32ca4b4faee03b5f166372b4115753b434c33d7e 1953538 gnupg_1.4.12-7+deb7u4_amd64.deb
 b5e7e7e1ed23a714feed0dda12dc92c547077ee5 64104 gnupg-curl_1.4.12-7+deb7u4_amd64.deb
 c031378a5ed0aa4ffa34f8f6245d6063749cc5d9 226674 gpgv_1.4.12-7+deb7u4_amd64.deb
 78e8ea13ff478adda308b9322b47b74454ae106b 352888 gnupg-udeb_1.4.12-7+deb7u4_amd64.udeb
 2c85fc453625c7091a06a31a2afbe6639eff7a92 129738 gpgv-udeb_1.4.12-7+deb7u4_amd64.udeb
Checksums-Sha256: 
 31f9cfe4e94d25311d1530c4ed9dab6e7a1dc28cc3ad10bc30719101958009eb 2324 gnupg_1.4.12-7+deb7u4.dsc
 11745cb3e5c89735957b55d46b8cd36470d0dfbca300fa28134216584ef4fa84 104243 gnupg_1.4.12-7+deb7u4.debian.tar.gz
 2d6955dcec3ef31b02ba8d56171528c6f8f2dc9a0e274ba1b057ec372f4936d3 614400 gpgv-win32_1.4.12-7+deb7u4_all.deb
 c5d30fb81ed2b20b8de140a6193214895dd751e223d0513f08c789276ba859ad 1953538 gnupg_1.4.12-7+deb7u4_amd64.deb
 8f021ee545a71efc7cc7c89f98ffe1ad7520f6d19a3250c6158bc27c9cbbbbc1 64104 gnupg-curl_1.4.12-7+deb7u4_amd64.deb
 6bae5b6125d3a1d8d453d316c6c3f7236ae154b477475c15db912c2ffe194398 226674 gpgv_1.4.12-7+deb7u4_amd64.deb
 88386a304eaa9666f361f942bba33f0b7854cf07f711f6e7f0b008136489fcef 352888 gnupg-udeb_1.4.12-7+deb7u4_amd64.udeb
 13c4f31f5036e83c906dab5f116366452f8d6ceff47c1d2c64b3999c0411439e 129738 gpgv-udeb_1.4.12-7+deb7u4_amd64.udeb
Files: 
 580b486123beef6ea35e0927dd535301 2324 utils important gnupg_1.4.12-7+deb7u4.dsc
 25786cbe082755577e84b8fe89676abd 104243 utils important gnupg_1.4.12-7+deb7u4.debian.tar.gz
 0f85528f49d858ba8f10a88284d22df4 614400 utils extra gpgv-win32_1.4.12-7+deb7u4_all.deb
 156e30ec6d669421f6ef299cc6b639ea 1953538 utils important gnupg_1.4.12-7+deb7u4_amd64.deb
 4bdd3c55c2d7e0321020acd806425197 64104 utils optional gnupg-curl_1.4.12-7+deb7u4_amd64.deb
 7cfeaee9c167eef422b4db95994be384 226674 utils important gpgv_1.4.12-7+deb7u4_amd64.deb
 c4773c274790971679bf9473ad76b14b 352888 debian-installer extra gnupg-udeb_1.4.12-7+deb7u4_amd64.udeb
 e05b2bfcd7fedb7442de65f59237db73 129738 debian-installer extra gpgv-udeb_1.4.12-7+deb7u4_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTqY55AAoJEAVMuPMTQ89EjQ4P/RjeQf3X1ccyCamxyqe+75Dn
R9h+FIUt52Hh4yTIuNByD3P8Z1hdirYJVWHGNCWQ2WU6hUodzKWHTewcPf6io5+a
zVBDkKZnRSGxofYmQk4H3O66utV1JPm/1KbCUkq2gzOA/RjoRsr9kzB59a3BgFmG
v9rr6SQOeWjAQ0Mxq4iTmBwF3d0SBggOCwicfcECCcnj7OWWdG+v1o0y5Yjza8K1
fKEzlt8I0hM0upT/gnaU8DyKtp3lgF7AF0bC5OEwE7Tx7YlGU17LdgI/VM1P3cny
cqBty028Vkg3DUMjAviHc96Ppqk2pxagYsaRWv7jFT2XEfDGUTFpH4kH/kuNnucj
y3ao/QgO0cU5LG85XYxyocuFTwT6dbz1TGJVngfZVTFL0eLZt6lb0uoG6I3A02Ts
VPumkv5HyEph+rr9POnxGXbq5gLOSVKylcSkr90xexIufiGA3asvWdfhgdN8+wyl
TDD1GhQ8lEsX6wl7R1KmyMg/5MzhyvxZuDJKsLU41xYUN/uzbYNDiX+Jgn9DFf42
KykXofqGF9tUB9/0YFN7nZZWrpIJz08Pv6GLEhTxxQyZOyfEw6vPcLihg32mKclT
bq61KHVYqvvSpTtBO6W2grXertzO+cU1/TCALkY+mugl4VxtcO9RilB4G13jgs6o
XypXmViClbCkb6c1v8Za
=JYTB
-----END PGP SIGNATURE-----

Message #24 received at 752497-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 752497-close@bugs.debian.org

Subject: Bug#752497: fixed in gnupg 1.4.10-4+squeeze5

Date: Mon, 30 Jun 2014 19:33:35 +0000

Source: gnupg
Source-Version: 1.4.10-4+squeeze5

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 752497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Jun 2014 15:41:56 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb
Architecture: source amd64
Version: 1.4.10-4+squeeze5
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
Closes: 752497
Changes: 
 gnupg (1.4.10-4+squeeze5) squeeze-lts; urgency=high
 .
   * CVE-2014-4617: Avoid DoS due to garbled compressed data packets.
     Apply upstream commit to stop a possible DoS using garbled compressed
     data packets which can be used to put gpg into an infinite loop.
     (Closes: #752497)
Checksums-Sha1: 
 9601a33b655a5da51ac2038a7cf20c117f5d6f5b 2068 gnupg_1.4.10-4+squeeze5.dsc
 8c443439c132595d82e6b23f0b2e6a051f34912b 40589 gnupg_1.4.10-4+squeeze5.diff.gz
 a0029f20d957e951e4ea0f2a85168f661c207d8d 2148580 gnupg_1.4.10-4+squeeze5_amd64.deb
 c00bcc0e5eb0e6e5852fa2e2b327b3a426ca4b0d 75106 gnupg-curl_1.4.10-4+squeeze5_amd64.deb
 523f1e11d441ec38ce70415b755484f8c24da997 222448 gpgv_1.4.10-4+squeeze5_amd64.deb
 23f1960d8c90f73550fa1697e0acadc9745ff838 413540 gnupg-udeb_1.4.10-4+squeeze5_amd64.udeb
 31267fe56f25a9f2ab08c1cb7193d4e8d4fd4e2d 149800 gpgv-udeb_1.4.10-4+squeeze5_amd64.udeb
Checksums-Sha256: 
 b545ffca30b7e19772a9ce07eef9a6a618051efa3dc9860ca4e4573e238af204 2068 gnupg_1.4.10-4+squeeze5.dsc
 0c66b8b45d86a139a7c7a6c6a12542d553022263f95ba33d0f1e07dd50342c13 40589 gnupg_1.4.10-4+squeeze5.diff.gz
 42c18a4f4b66582fc3ee4c5a5db251567b8c928e01bfb3045cd1a86a49ae1874 2148580 gnupg_1.4.10-4+squeeze5_amd64.deb
 f419265f651717fd5eab1e1e307f537a593da1d0864e2333e959ae66fb08d8c0 75106 gnupg-curl_1.4.10-4+squeeze5_amd64.deb
 5cabcd49692b5dd3d28d3a6b2d5c8c029107488a6207143138d9372a7886ce66 222448 gpgv_1.4.10-4+squeeze5_amd64.deb
 8f23c47a509ea0ad55327b0a9fd25d9aa1cd52c3d3a22134547616bfb7d8d904 413540 gnupg-udeb_1.4.10-4+squeeze5_amd64.udeb
 29204182226383af437ff769b9e8ce9ad41cba2f67afc0f80ab43d5114c6b3b6 149800 gpgv-udeb_1.4.10-4+squeeze5_amd64.udeb
Files: 
 b1f0d511958851d449d4d774d78a7c9e 2068 utils important gnupg_1.4.10-4+squeeze5.dsc
 2a460bb5832f45358c76471d89720ad2 40589 utils important gnupg_1.4.10-4+squeeze5.diff.gz
 cb9e2004a52270f0af314515b46eae56 2148580 utils important gnupg_1.4.10-4+squeeze5_amd64.deb
 02edfbb7fd3e7b675311f74d8f3e8e88 75106 utils optional gnupg-curl_1.4.10-4+squeeze5_amd64.deb
 4a42643fcc70640d8550b31b4afc649e 222448 utils important gpgv_1.4.10-4+squeeze5_amd64.deb
 80fd89d1809f037150d6c7eaa6c870de 413540 debian-installer extra gnupg-udeb_1.4.10-4+squeeze5_amd64.udeb
 4fe9755d6e601323c98477e20dec3132 149800 debian-installer extra gpgv-udeb_1.4.10-4+squeeze5_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTsbfKAAoJEAVMuPMTQ89EcNwP/RUUjETBQ5ZGIdgiOlsYbz7a
z/B5nd6IlJNW96gDkzWk5SvUk4xwPvcmabSY3WTUtgrcJUT2WHK+Wiizd2UTPhtb
p03qAukWRt0fHnJErALEuuN+bMHmxnhHM0ZRVEUaVAdNCkzPZnMho+BWd2B2tD36
+ABbKACdzIbEGoAo8Pg6DsvLKPDNPrVXjq00oUERVDM7eCCDxjVwcy+dYE+52gJX
FBEe8On3aBHLKWuJ7NVNPtnYbLkjCkSCjYXQWwY1Ljp4HHTZP1hoPozYG+c7lO85
m50ClB9fXhCHs5FDXiW+eaUI6zyn02w4LaZYByAdL5hcd47QMytES/qhNzWBc+UC
ZoFXE8QlLXguI5FxcPtBkgnLGVOjz0dqVGyhM0ZjYpwgIP7nCKQkiHxK13/CeHSy
hCVgkJMX4eUGJpytp+FU9hzfoBm7WbIjr2QnSVIW9a6K7+wmdF18BL9G/1hMkXzB
+mXqsfiF3Vd3scSwk2/d8VJUvssAntWubbtmmlnVKw0BHYqKO1PTettWfDyPQvj3
TBzdEZXyv5xk1iih98NaA8IKgGaPUgASf2h4L6++KpfOMcStNIfaHezYIlTGIrJC
XB7scST++sRZjpKHDtZtANpJNQ0RPRpVa6ZgW1dTZKo6UPfsIZO6RFhoctjEfi+o
+JBwaGQHVSz6+RiIdxKP
=XUtj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.