FS#42943 - [gnupg] backport fix for CVE-2014-9087 (buffer overflow)
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Friday, 28 November 2014, 16:38 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 28 November 2014, 19:56 GMT
Opened by Remi Gacogne (rgacogne) - Friday, 28 November 2014, 16:38 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 28 November 2014, 19:56 GMT
|
DetailsAllan noticed that the vulnerability identified in libksba [1] is also present in gnupg 2.1.0 (duplicated code). This has been fixed upstream [2] but I am not sure whether a new version will be released, so I believe it would be wise to backport the patch. While investigating this issue, I also stumbled upon [3], which seems bad at first look, so we may want to backport that too. [1] https://lists.archlinux.org/pipermail/arch-security/2014-November/000156.html [2] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da [3] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=0988764397f99db4efef1eabcdb8072d6159af76;hp=b716e6a69919b89c7887d6c7c9b97e58d18fdf95 |
This task depends upon
Closed by Gaetan Bisson (vesath)
Friday, 28 November 2014, 19:56 GMT
Reason for closing: Fixed
Additional comments about closing: gnupg-2.1.0-6 in [testing]
Friday, 28 November 2014, 19:56 GMT
Reason for closing: Fixed
Additional comments about closing: gnupg-2.1.0-6 in [testing]