Debian Bug report logs - #725433
CVE-2013-4402: infinite recursion in the compressed packet parser

version graph

Package: gnupg2; Maintainer for gnupg2 is Eric Dorland <eric@debian.org>; Source for gnupg2 is src:gnupg2.

Reported by: Eric Dorland <eric@debian.org>

Date: Sat, 5 Oct 2013 19:54:01 UTC

Severity: serious

Tags: security

Found in versions gnupg2/2.0.21-2, gnupg2/2.0.20-1, gnupg2/2.0.19-2

Fixed in versions gnupg2/2.0.19-2+deb7u1, gnupg2/2.0.22-1

Done: Eric Dorland <eric@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#725433; Package gnupg2. (Sat, 05 Oct 2013 19:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Eric Dorland <eric@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org. (Sat, 05 Oct 2013 19:54:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Eric Dorland <eric@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2013-4402: infinite recursion in the compressed packet parser
Date: Sat, 05 Oct 2013 15:51:58 -0400
Package: gnupg2
Version: 2.0.21-2
Severity: normal
Tags: security

Fixed in 2.0.22.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.10-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg2 depends on:
ii  dpkg             1.17.1
ii  gnupg-agent      2.0.21-2
ii  install-info     5.2.0.dfsg.1-1
ii  libassuan0       2.1.1-1
ii  libbz2-1.0       1.0.6-5
ii  libc6            2.17-93
ii  libcurl3-gnutls  7.32.0-1
ii  libgcrypt11      1.5.3-2
ii  libgpg-error0    1.12-0.2
ii  libksba8         1.3.0-2
ii  libreadline6     6.2+dfsg-0.1
ii  zlib1g           1:1.2.8.dfsg-1

Versions of packages gnupg2 recommends:
ii  libldap-2.4-2  2.4.31-1+nmu2+b1

Versions of packages gnupg2 suggests:
pn  gnupg-doc   <none>
pn  xloadimage  <none>

-- no debconf information



Reply sent to Eric Dorland <eric@debian.org>:
You have taken responsibility. (Sat, 05 Oct 2013 22:36:10 GMT) Full text and rfc822 format available.

Notification sent to Eric Dorland <eric@debian.org>:
Bug acknowledged by developer. (Sat, 05 Oct 2013 22:36:10 GMT) Full text and rfc822 format available.

Message #10 received at 725433-close@bugs.debian.org (full text, mbox):

From: Eric Dorland <eric@debian.org>
To: 725433-close@bugs.debian.org
Subject: Bug#725433: fixed in gnupg2 2.0.22-1
Date: Sat, 05 Oct 2013 22:33:27 +0000
Source: gnupg2
Source-Version: 2.0.22-1

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 05 Oct 2013 17:45:28 -0400
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg2 gpgv2
Architecture: source amd64
Version: 2.0.22-1
Distribution: unstable
Urgency: low
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description: 
 gnupg-agent - GNU privacy guard - password agent
 gnupg2     - GNU privacy guard - a free PGP replacement (new v2.x)
 gpgsm      - GNU privacy guard - S/MIME version
 gpgv2      - GNU privacy guard - signature verification tool (new v2.x)
 scdaemon   - GNU privacy guard - smart card support
Closes: 722724 725433
Changes: 
 gnupg2 (2.0.22-1) unstable; urgency=low
 .
   * New upstream version. Fixes CVE-2013-4402 and CVE-2013-4351. (Closes:
     #725433, #722724)
   * debian/gnupg2.install: Install gnupg-card-architecture.png for the
     info file.
Checksums-Sha1: 
 5d11168167056e5d5a9f98255d71eedb075b6c71 1665 gnupg2_2.0.22-1.dsc
 9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 4277117 gnupg2_2.0.22.orig.tar.bz2
 17e4e5cdb50481644ff44f14ec7d59e8382a4afa 16677 gnupg2_2.0.22-1.debian.tar.bz2
 bb6e27c703b1769f7413df4b642a71943dd6b51a 264174 gnupg-agent_2.0.22-1_amd64.deb
 0b70b45d9bbd75be7d5a759650f5cdecf14ac14e 196566 scdaemon_2.0.22-1_amd64.deb
 283a83bdb152709a01b3b750c7effa49507cff5e 227504 gpgsm_2.0.22-1_amd64.deb
 f04ef2ad65f848fa625c58f0e7d68d63af0092d0 1344314 gnupg2_2.0.22-1_amd64.deb
 c7b111ce694cf4e133db0fb47a729eb21516dd3e 178966 gpgv2_2.0.22-1_amd64.deb
Checksums-Sha256: 
 83fa1c1c7311e7d43b57605d6af1359a53b45c1aaa41507f86e6145a4e2d2376 1665 gnupg2_2.0.22-1.dsc
 437d0ab259854359fc48aa8795af80cff4975e559c111c92c03d0bc91408e251 4277117 gnupg2_2.0.22.orig.tar.bz2
 430ac8e40a0acd845e0aa3c01b50ba114a7f6d70a9fb6e576b8680e79af08574 16677 gnupg2_2.0.22-1.debian.tar.bz2
 7bb1607bf1f276612773efdeeba9bf49308b263c1cbae8c927766dcabf5d25e2 264174 gnupg-agent_2.0.22-1_amd64.deb
 c0fa4e9e80669fe0b7f444c31bfdd9531dba4d007b488f791c589c91bcb7d244 196566 scdaemon_2.0.22-1_amd64.deb
 fb5882c3c65fb932c73de665d64c2a07d47ae9c4ce494bd6a3c2f9ca950821a1 227504 gpgsm_2.0.22-1_amd64.deb
 baab694b8cad14c14e164a45a492fb8b5e61bcd63d50fd73afc4b7aea67a1629 1344314 gnupg2_2.0.22-1_amd64.deb
 90868f964697e932c6b367d090df013deedbcaf0844eb76385d905a478f87400 178966 gpgv2_2.0.22-1_amd64.deb
Files: 
 90104f8cb30b82c8a9e4d8f6cce6e6db 1665 utils optional gnupg2_2.0.22-1.dsc
 ee22e7b4fdbfcb50229c2e6db6db291e 4277117 utils optional gnupg2_2.0.22.orig.tar.bz2
 ba860fa8186a19bc96c9d62ed484c5fa 16677 utils optional gnupg2_2.0.22-1.debian.tar.bz2
 e53d9026310199b20c27988d4e656392 264174 utils optional gnupg-agent_2.0.22-1_amd64.deb
 0487ca101fca3e98a0047fd710181e05 196566 utils optional scdaemon_2.0.22-1_amd64.deb
 dd629468833495c1cdd392d00af7ce36 227504 utils optional gpgsm_2.0.22-1_amd64.deb
 a9ac610945d41e26947a5f46f3be6fb8 1344314 utils optional gnupg2_2.0.22-1_amd64.deb
 ba03e0cb639428daf3cd9fde6eab2595 178966 utils optional gpgv2_2.0.22-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlJQkVsACgkQYemOzxbZcMY8tACfYVohJZRq/n/2QO9Q3mLeP7fU
SpMAn3ffajnADePd0qV1w8amKvcglpNU
=lb/2
-----END PGP SIGNATURE-----




Reply sent to Eric Dorland <eric@debian.org>:
You have taken responsibility. (Sat, 12 Oct 2013 19:57:50 GMT) Full text and rfc822 format available.

Notification sent to Eric Dorland <eric@debian.org>:
Bug acknowledged by developer. (Sat, 12 Oct 2013 19:57:50 GMT) Full text and rfc822 format available.

Message #15 received at 725433-close@bugs.debian.org (full text, mbox):

From: Eric Dorland <eric@debian.org>
To: 725433-close@bugs.debian.org
Subject: Bug#725433: fixed in gnupg2 2.0.19-2+deb7u1
Date: Sat, 12 Oct 2013 19:53:09 +0000
Source: gnupg2
Source-Version: 2.0.19-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Oct 2013 02:04:01 -0400
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg2
Architecture: source amd64
Version: 2.0.19-2+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description: 
 gnupg-agent - GNU privacy guard - password agent
 gnupg2     - GNU privacy guard - a free PGP replacement (new v2.x)
 gpgsm      - GNU privacy guard - S/MIME version
 scdaemon   - GNU privacy guard - smart card support
Closes: 722724 725433
Changes: 
 gnupg2 (2.0.19-2+deb7u1) wheezy-security; urgency=high
 .
   * debian/patches/{03-cve-2013-4402_p1.diff,04-cve-2013-4402_p2.diff}:
     Fix for CVE-2013-4402, "infinite recursion in the compressed packet
     parser". (Closes: #725433)
   * debian/patches/05-cve-2013-4351.diff: Fix for CVE-2013-4351, "treats
     no-usage-permitted keys as all-usages-permitted". (Closes: #722724)
Checksums-Sha1: 
 188f9f96286422a2e1a20c2eab12ffbae3436a99 1623 gnupg2_2.0.19-2+deb7u1.dsc
 190c09e6688f688fb0a5cf884d01e240d957ac1f 4187460 gnupg2_2.0.19.orig.tar.bz2
 8bb1172b5b250b3d9f7117d1dcf1f8e0a4b0da7b 20489 gnupg2_2.0.19-2+deb7u1.debian.tar.bz2
 cf614b8fe2bf6c6acbe552d7862a8b8a78b03980 465060 gnupg-agent_2.0.19-2+deb7u1_amd64.deb
 0c155ead33951b35206637f1181ea09ec955b5fa 217696 scdaemon_2.0.19-2+deb7u1_amd64.deb
 3d4a9a6d64624420396ac0e93b64f55b5751e372 256134 gpgsm_2.0.19-2+deb7u1_amd64.deb
 4a4ce12f53d8f2970acf33239a1b1eb874df882c 2284332 gnupg2_2.0.19-2+deb7u1_amd64.deb
Checksums-Sha256: 
 40f3f6ef844e56a90a4de2f3ca59e720121871bc110c865ab1f476361f21f28b 1623 gnupg2_2.0.19-2+deb7u1.dsc
 efa23a8a925adb51c7d3b708c25b6d000300f5ce37de9bdec6453be7b419c622 4187460 gnupg2_2.0.19.orig.tar.bz2
 c70c6b065e460b8cc733811d3c1d1fb343dd887ff9064431a1ba4f6465dda42f 20489 gnupg2_2.0.19-2+deb7u1.debian.tar.bz2
 f0be6fd88957279fcc4c1874289fd942150664bd27bc532bb473f48534289d42 465060 gnupg-agent_2.0.19-2+deb7u1_amd64.deb
 286927c805631f20ec389c0871e5a14fa01c2437206b2b69de5754c2682e2a21 217696 scdaemon_2.0.19-2+deb7u1_amd64.deb
 503f9463f5dd61c60e5c630fa4f920a6fa2a646923ca0109f8309dd808010ae0 256134 gpgsm_2.0.19-2+deb7u1_amd64.deb
 5a4d0f15ab5543bd224a92eee67d7452c1748eab18d0bc27a8b1846eefd1caac 2284332 gnupg2_2.0.19-2+deb7u1_amd64.deb
Files: 
 ec23631be9966f51c684ca4dc055437c 1623 utils optional gnupg2_2.0.19-2+deb7u1.dsc
 6a8589381ca1b0c1a921e9955f42b016 4187460 utils optional gnupg2_2.0.19.orig.tar.bz2
 0f2a7a3a0c140fabc417b7e6a9a35332 20489 utils optional gnupg2_2.0.19-2+deb7u1.debian.tar.bz2
 9d9b07f8fdc1fbb5e9aa93307f118f88 465060 utils optional gnupg-agent_2.0.19-2+deb7u1_amd64.deb
 4abe39af1caee492192ea4541cd89b11 217696 utils optional scdaemon_2.0.19-2+deb7u1_amd64.deb
 b1e10ce508a887f95031988a593557ab 256134 utils optional gpgsm_2.0.19-2+deb7u1_amd64.deb
 644bc452a0d68dd4017663a43d2e055a 2284332 utils optional gnupg2_2.0.19-2+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlJU3/4ACgkQYemOzxbZcMaO7QCdFyOISzbDSkPXHNpHbb1/D3Dp
EUgAmwSwoeO/FWmeG8bm+zpjYy/aF6UQ
=Vx/A
-----END PGP SIGNATURE-----




Marked as found in versions gnupg2/2.0.20-1. Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 25 Oct 2013 09:30:05 GMT) Full text and rfc822 format available.

Severity set to 'serious' from 'normal' Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 25 Oct 2013 09:30:07 GMT) Full text and rfc822 format available.

Marked as found in versions gnupg2/2.0.19-2. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Thu, 31 Oct 2013 20:06:19 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Dec 2013 07:26:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 01:30:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.