Debian Bug report logs - #725439
gnupg: CVE-2013-4402: infinite recursion in the compressed packet parser

version graph

Package: gnupg; Maintainer for gnupg is Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>; Source for gnupg is src:gnupg.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 5 Oct 2013 20:57:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Merged with 725718

Found in version gnupg/1.4.14-1

Fixed in versions gnupg/1.4.15-1, gnupg/1.4.10-4+squeeze3, gnupg/1.4.12-7+deb7u2

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#725439; Package gnupg. (Sat, 05 Oct 2013 20:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>. (Sat, 05 Oct 2013 20:57:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gnupg: CVE-2013-4402: infinite recursion in the compressed packet parser
Date: Sat, 05 Oct 2013 22:55:43 +0200
Package: gnupg
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for gnupg.

CVE-2013-4402[0]:
infinite recursion in the compressed packet parser

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4402
[1] http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000334.html

Regards,
Salvatore



Marked as found in versions gnupg/1.4.14-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 07 Oct 2013 19:21:17 GMT) Full text and rfc822 format available.

Merged 725439 725718 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 07 Oct 2013 19:21:19 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Mon, 07 Oct 2013 19:21:32 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 07 Oct 2013 19:21:32 GMT) Full text and rfc822 format available.

Message #14 received at 725439-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 725439-close@bugs.debian.org
Subject: Bug#725439: fixed in gnupg 1.4.15-1
Date: Mon, 07 Oct 2013 19:18:32 +0000
Source: gnupg
Source-Version: 1.4.15-1

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 07 Oct 2013 20:05:43 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 704645 725439 725718
Changes: 
 gnupg (1.4.15-1) unstable; urgency=high
 .
   * New upstream release (closes: #725718).
     - Fixed possible denial of service in the compressed packet
       parser (CVE-2013-4402, closes: #725439).
     - Documents limitations of the verify command (closes: #704645).
Checksums-Sha1: 
 d536ab12e099940ffd931b1edfb895d3192b2fcc 1968 gnupg_1.4.15-1.dsc
 2881c8174c15bb86ecf2e879cb7ca22c91fbcf93 5066798 gnupg_1.4.15.orig.tar.gz
 2f96594111e8207df9eaa1f7ce0a2c0098a4abe7 27171 gnupg_1.4.15-1.debian.tar.gz
 1abc6130329ae99ca15c6ca7287d57a5cb45392c 484870 gpgv-win32_1.4.15-1_all.deb
 041fb1e2c57fb89c24164bfdfe35019deed968f8 1126378 gnupg_1.4.15-1_amd64.deb
 c9c73d27ea33e19c3cffec22886571d9dd8e7d28 60862 gnupg-curl_1.4.15-1_amd64.deb
 238a0ea59cfd3fb6e0e26a6196016982120a6273 201008 gpgv_1.4.15-1_amd64.deb
 a68b3bde0c6f10416f7d257f83efa72f81d13bba 353970 gnupg-udeb_1.4.15-1_amd64.udeb
 03d1a81355b4b7726cab858c532347a3602779e7 130072 gpgv-udeb_1.4.15-1_amd64.udeb
Checksums-Sha256: 
 965dcc7d1840ab56962bf196024e388a1a55723adf3768c3e49ac1e885a5acc7 1968 gnupg_1.4.15-1.dsc
 0b91e293e8566e5b841f280329b1e6fd773f7d3826844c69bec676124e0a0bb3 5066798 gnupg_1.4.15.orig.tar.gz
 e77d83f8cb062716ebbdf15fbfe0755afe70a8da8b0e81da37c4cd7de7edcf28 27171 gnupg_1.4.15-1.debian.tar.gz
 780fe3073b4e2ca6bd5c1235a3f74521708d06973903f88e26cbed2b75df00d5 484870 gpgv-win32_1.4.15-1_all.deb
 ce3d0386cf39c66d3ec764236b91193dbf4c0a487b14268c156cc4c0455eee5c 1126378 gnupg_1.4.15-1_amd64.deb
 d9ed68c0e5a88d1905f7636289d96be0fec11d9237d1a8561d636a03613ee75c 60862 gnupg-curl_1.4.15-1_amd64.deb
 cb82d85ce9b4d341196cf722da1020f98aa7a3df141b044d0ae258dcaf6689ff 201008 gpgv_1.4.15-1_amd64.deb
 a7c0a2b3bc1587cb5e491a7e73e0c7fb5274c1d768f44d1b441304eb10cd8ce8 353970 gnupg-udeb_1.4.15-1_amd64.udeb
 6009e419877c2e35572a6718823018e6be3169223cf055421b087b3fbbc63ef2 130072 gpgv-udeb_1.4.15-1_amd64.udeb
Files: 
 db50208f250e49dfd211beb744eae151 1968 utils important gnupg_1.4.15-1.dsc
 c04ba3eb68766c01ac26cabee1af1eac 5066798 utils important gnupg_1.4.15.orig.tar.gz
 712ea647166f756c212f24270992725b 27171 utils important gnupg_1.4.15-1.debian.tar.gz
 543b5e17f7f091b7a49d01ba18fd4a5d 484870 utils extra gpgv-win32_1.4.15-1_all.deb
 38c6e43c32f4fcfb11d5235afc0f0983 1126378 utils important gnupg_1.4.15-1_amd64.deb
 f7372c39d19d3d48e9315d3ba849de81 60862 utils optional gnupg-curl_1.4.15-1_amd64.deb
 ae9ac8291fafd797dd7b7b5d22d9c0cc 201008 utils important gpgv_1.4.15-1_amd64.deb
 7c256d3ae62e38f80719054cfc367085 353970 debian-installer extra gnupg-udeb_1.4.15-1_amd64.udeb
 2afdaed5689c25f6b38eaab7203a54ed 130072 debian-installer extra gpgv-udeb_1.4.15-1_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJSUwSSAAoJEFb2GnlAHawEEdEIAIpGXUNdN5baUHLlg1Bs9F61
kQvAUUw3zdj7B8KNVzxlRZQApBS0H3uKtGyxKpKOXOwB3MQt9k+CdEvPLJJyEEjN
ElOVVq4x7vWAk1hCPcC6cJuO0YeVEeMABA78Nuw/dYm6STHzFrcI8mxlWuteEUTT
c4eaIEwopX2Y4PEvmcmC1bnB7OHvswfYKIgkb5Yzyq7LibHy1S13+wqIgXeVH/aS
o9Dl+exv+RvMeq2K/abkxVpiwaUgJgW8Nij16vx8hUaq52Q4TasLlaFRPUYt91bI
kycHYCuFtHO0PsjcSe/mIi/c4pnGvfIkGjtVhmqUuG7my5iGgLCUcquJ4WAmEwA=
=AGKZ
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Mon, 07 Oct 2013 19:21:33 GMT) Full text and rfc822 format available.

Notification sent to "Jérémy" <kcchouette@gmail.com>:
Bug acknowledged by developer. (Mon, 07 Oct 2013 19:21:34 GMT) Full text and rfc822 format available.

Message #19 received at 725718-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 725718-close@bugs.debian.org
Subject: Bug#725718: fixed in gnupg 1.4.15-1
Date: Mon, 07 Oct 2013 19:18:32 +0000
Source: gnupg
Source-Version: 1.4.15-1

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725718@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 07 Oct 2013 20:05:43 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 704645 725439 725718
Changes: 
 gnupg (1.4.15-1) unstable; urgency=high
 .
   * New upstream release (closes: #725718).
     - Fixed possible denial of service in the compressed packet
       parser (CVE-2013-4402, closes: #725439).
     - Documents limitations of the verify command (closes: #704645).
Checksums-Sha1: 
 d536ab12e099940ffd931b1edfb895d3192b2fcc 1968 gnupg_1.4.15-1.dsc
 2881c8174c15bb86ecf2e879cb7ca22c91fbcf93 5066798 gnupg_1.4.15.orig.tar.gz
 2f96594111e8207df9eaa1f7ce0a2c0098a4abe7 27171 gnupg_1.4.15-1.debian.tar.gz
 1abc6130329ae99ca15c6ca7287d57a5cb45392c 484870 gpgv-win32_1.4.15-1_all.deb
 041fb1e2c57fb89c24164bfdfe35019deed968f8 1126378 gnupg_1.4.15-1_amd64.deb
 c9c73d27ea33e19c3cffec22886571d9dd8e7d28 60862 gnupg-curl_1.4.15-1_amd64.deb
 238a0ea59cfd3fb6e0e26a6196016982120a6273 201008 gpgv_1.4.15-1_amd64.deb
 a68b3bde0c6f10416f7d257f83efa72f81d13bba 353970 gnupg-udeb_1.4.15-1_amd64.udeb
 03d1a81355b4b7726cab858c532347a3602779e7 130072 gpgv-udeb_1.4.15-1_amd64.udeb
Checksums-Sha256: 
 965dcc7d1840ab56962bf196024e388a1a55723adf3768c3e49ac1e885a5acc7 1968 gnupg_1.4.15-1.dsc
 0b91e293e8566e5b841f280329b1e6fd773f7d3826844c69bec676124e0a0bb3 5066798 gnupg_1.4.15.orig.tar.gz
 e77d83f8cb062716ebbdf15fbfe0755afe70a8da8b0e81da37c4cd7de7edcf28 27171 gnupg_1.4.15-1.debian.tar.gz
 780fe3073b4e2ca6bd5c1235a3f74521708d06973903f88e26cbed2b75df00d5 484870 gpgv-win32_1.4.15-1_all.deb
 ce3d0386cf39c66d3ec764236b91193dbf4c0a487b14268c156cc4c0455eee5c 1126378 gnupg_1.4.15-1_amd64.deb
 d9ed68c0e5a88d1905f7636289d96be0fec11d9237d1a8561d636a03613ee75c 60862 gnupg-curl_1.4.15-1_amd64.deb
 cb82d85ce9b4d341196cf722da1020f98aa7a3df141b044d0ae258dcaf6689ff 201008 gpgv_1.4.15-1_amd64.deb
 a7c0a2b3bc1587cb5e491a7e73e0c7fb5274c1d768f44d1b441304eb10cd8ce8 353970 gnupg-udeb_1.4.15-1_amd64.udeb
 6009e419877c2e35572a6718823018e6be3169223cf055421b087b3fbbc63ef2 130072 gpgv-udeb_1.4.15-1_amd64.udeb
Files: 
 db50208f250e49dfd211beb744eae151 1968 utils important gnupg_1.4.15-1.dsc
 c04ba3eb68766c01ac26cabee1af1eac 5066798 utils important gnupg_1.4.15.orig.tar.gz
 712ea647166f756c212f24270992725b 27171 utils important gnupg_1.4.15-1.debian.tar.gz
 543b5e17f7f091b7a49d01ba18fd4a5d 484870 utils extra gpgv-win32_1.4.15-1_all.deb
 38c6e43c32f4fcfb11d5235afc0f0983 1126378 utils important gnupg_1.4.15-1_amd64.deb
 f7372c39d19d3d48e9315d3ba849de81 60862 utils optional gnupg-curl_1.4.15-1_amd64.deb
 ae9ac8291fafd797dd7b7b5d22d9c0cc 201008 utils important gpgv_1.4.15-1_amd64.deb
 7c256d3ae62e38f80719054cfc367085 353970 debian-installer extra gnupg-udeb_1.4.15-1_amd64.udeb
 2afdaed5689c25f6b38eaab7203a54ed 130072 debian-installer extra gpgv-udeb_1.4.15-1_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJSUwSSAAoJEFb2GnlAHawEEdEIAIpGXUNdN5baUHLlg1Bs9F61
kQvAUUw3zdj7B8KNVzxlRZQApBS0H3uKtGyxKpKOXOwB3MQt9k+CdEvPLJJyEEjN
ElOVVq4x7vWAk1hCPcC6cJuO0YeVEeMABA78Nuw/dYm6STHzFrcI8mxlWuteEUTT
c4eaIEwopX2Y4PEvmcmC1bnB7OHvswfYKIgkb5Yzyq7LibHy1S13+wqIgXeVH/aS
o9Dl+exv+RvMeq2K/abkxVpiwaUgJgW8Nij16vx8hUaq52Q4TasLlaFRPUYt91bI
kycHYCuFtHO0PsjcSe/mIi/c4pnGvfIkGjtVhmqUuG7my5iGgLCUcquJ4WAmEwA=
=AGKZ
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Thu, 10 Oct 2013 22:21:17 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 10 Oct 2013 22:21:17 GMT) Full text and rfc822 format available.

Message #24 received at 725439-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 725439-close@bugs.debian.org
Subject: Bug#725439: fixed in gnupg 1.4.10-4+squeeze3
Date: Thu, 10 Oct 2013 22:17:27 +0000
Source: gnupg
Source-Version: 1.4.10-4+squeeze3

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 09 Oct 2013 18:14:40 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb
Architecture: source amd64
Version: 1.4.10-4+squeeze3
Distribution: squeeze-security
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
Closes: 722722 725439
Changes: 
 gnupg (1.4.10-4+squeeze3) squeeze-security; urgency=high
 .
   * Apply upstream patch to fix infinite recursion in the
     compressed packet parser (CVE-2013-4402, closes: #725439).
   * Apply upstream patch to fix treating no-usage-permitted
     keys as all-usages-permitted (CVE-2013-4351, closes: #722722).
Checksums-Sha1: 
 64842f56f672015dbc932b3272fa9ebf70947e76 1915 gnupg_1.4.10-4+squeeze3.dsc
 1d26a751169135bcea5bf23331b5ed68a910f347 35706 gnupg_1.4.10-4+squeeze3.diff.gz
 b259d46ba8b7adeb4524e0bfee98f51db8f1a4d2 2144298 gnupg_1.4.10-4+squeeze3_amd64.deb
 35c8ec82215b77fd063187cee5c8e0bdce83a97e 74526 gnupg-curl_1.4.10-4+squeeze3_amd64.deb
 ba15b17046347a028f4d5da3299ccff8bc3d9908 221672 gpgv_1.4.10-4+squeeze3_amd64.deb
 a39aaafa3228f35a45ef9d58a6ce9801ff2e3666 413344 gnupg-udeb_1.4.10-4+squeeze3_amd64.udeb
 abf105030cb077da816c9b112a0837608e82f08c 149624 gpgv-udeb_1.4.10-4+squeeze3_amd64.udeb
Checksums-Sha256: 
 ec2c274074ef2655c7f834e02d680cbb6868d98d7efebef96552487eac844bb7 1915 gnupg_1.4.10-4+squeeze3.dsc
 ec896885507a3af22bba7bd333369f0e6576615a276d9a59e98d42214a6d44a5 35706 gnupg_1.4.10-4+squeeze3.diff.gz
 01279c7f7a49c40370f03f93ed1face5d865bfc564f92038f42032c264d1f32a 2144298 gnupg_1.4.10-4+squeeze3_amd64.deb
 5c44a483834094e98a9866c306422de37779cd3b5f25f544bbb38166ed4cdfeb 74526 gnupg-curl_1.4.10-4+squeeze3_amd64.deb
 0ac1b1f4b0652cf7c48ba758a9d72c3619b6694c5d38115484425b03d95e09ef 221672 gpgv_1.4.10-4+squeeze3_amd64.deb
 2c1106176a7a3e314ab048d3ba27df0f1f32d90a3ea93f0182f5210d8afdd12d 413344 gnupg-udeb_1.4.10-4+squeeze3_amd64.udeb
 766372077e73e05979193f422ea6cfeb53c0f2106cc876e53523582a26a50dcc 149624 gpgv-udeb_1.4.10-4+squeeze3_amd64.udeb
Files: 
 6a96b0ece3e6e5b6dd5cb365062cc2b1 1915 utils important gnupg_1.4.10-4+squeeze3.dsc
 27e296f9e6586e6b89da0d698d2b7b12 35706 utils important gnupg_1.4.10-4+squeeze3.diff.gz
 5f7f5da98bbacbfa054e6cfa4cec7a68 2144298 utils important gnupg_1.4.10-4+squeeze3_amd64.deb
 eb70a9c5daa5ab1a4754db45527db750 74526 utils optional gnupg-curl_1.4.10-4+squeeze3_amd64.deb
 d440e43f17ae80ccbfe1eb90cb0bc640 221672 utils important gpgv_1.4.10-4+squeeze3_amd64.deb
 6bf010ecd6c1373fcff118bca6e36db3 413344 debian-installer extra gnupg-udeb_1.4.10-4+squeeze3_amd64.udeb
 4fec63b76878f67bed49518739ce6628 149624 debian-installer extra gpgv-udeb_1.4.10-4+squeeze3_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSVYRLAAoJEFb2GnlAHawEAt0H/2R5PY3iUU5qoEsVzdEARrbZ
kv0OBF5N8SPQxr4hlGiMyH/4DYTzRNppHYZSR0/eh+hqtpkXb1czFhcJ57EpchPm
NaRZIgyHlrFYAQtbRJnA29ZXtxrNz/kjyrfBzLAkgUCQ18SPI3ZPS/yA5SEySiB5
C7wwK/Elr6MdZhvbdz2W3CZRvdcwlgVGqSmAdz1RAp3kY82rijI0JuVC63+QafR+
cCMP+shMRuGsAY91kOorr0eKyIVNkNzGT3A+/HB3EIiptBrtYgfW07ff82EM8szS
cF+F+gKpTffuu17Oxsy/5x0cmO2F+e8a9y8egS09TLrG/jeb+kSp9lXaEeW9JXQ=
=MMMW
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Thu, 10 Oct 2013 22:21:18 GMT) Full text and rfc822 format available.

Notification sent to "Jérémy" <kcchouette@gmail.com>:
Bug acknowledged by developer. (Thu, 10 Oct 2013 22:21:18 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 12 Oct 2013 19:57:53 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 12 Oct 2013 19:57:53 GMT) Full text and rfc822 format available.

Message #33 received at 725439-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 725439-close@bugs.debian.org
Subject: Bug#725439: fixed in gnupg 1.4.12-7+deb7u2
Date: Sat, 12 Oct 2013 19:53:50 +0000
Source: gnupg
Source-Version: 1.4.12-7+deb7u2

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 09 Oct 2013 17:26:36 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.12-7+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 722722 725439
Changes: 
 gnupg (1.4.12-7+deb7u2) wheezy-security; urgency=high
 .
   * Apply upstream patch to fix infinite recursion in the
     compressed packet parser (CVE-2013-4402, closes: #725439).
   * Apply upstream patch to fix treating no-usage-permitted
     keys as all-usages-permitted (CVE-2013-4351, closes: #722722).
Checksums-Sha1: 
 690019bb6af5f0b7d5a69758403031d0fcf99070 1990 gnupg_1.4.12-7+deb7u2.dsc
 c4a7d7bfeaca07886da18caecc3ea47f4e473838 98415 gnupg_1.4.12-7+deb7u2.debian.tar.gz
 18991e623068c11a149659326f4de12fa7e9c481 613792 gpgv-win32_1.4.12-7+deb7u2_all.deb
 d83385fee1bf8aeb5805a5ff9d9749504871e648 1952650 gnupg_1.4.12-7+deb7u2_amd64.deb
 cad77f5f88056d927545b6d66ecb9f4852d48740 63406 gnupg-curl_1.4.12-7+deb7u2_amd64.deb
 734140fdaef210c58caaed90e0b8997029fa026f 226290 gpgv_1.4.12-7+deb7u2_amd64.deb
 d40376efc2387d3566867a0d1e6f9ceea91e713a 352978 gnupg-udeb_1.4.12-7+deb7u2_amd64.udeb
 0da000e1b114c7e66d0684791fabb269cf2d1d64 129652 gpgv-udeb_1.4.12-7+deb7u2_amd64.udeb
Checksums-Sha256: 
 3698fcabe713d4b812c56298f9f5c2613ca60b85779e28caa708bf5bc9bedffb 1990 gnupg_1.4.12-7+deb7u2.dsc
 7c300cbeee85144676f2858a8038e90c2a793f5cd95c01786c4221cd25961b18 98415 gnupg_1.4.12-7+deb7u2.debian.tar.gz
 1c77b3671387484891128e9c82668d5cb9bd1f1a6e1ac6cc89b11e19c59dc721 613792 gpgv-win32_1.4.12-7+deb7u2_all.deb
 c49614066b2be381ee7b51594d7ae235e560c43fc3afd2a45eda17edb053d2d5 1952650 gnupg_1.4.12-7+deb7u2_amd64.deb
 e6b8013f9280e6b35eaa93b4f03d7f009b39392c4a79ef1704852cfa3770e95f 63406 gnupg-curl_1.4.12-7+deb7u2_amd64.deb
 cc9db8ba4a4ce6df388c5a9bf6c17ddf03c9f9068582c1daacd6e47138cbb10e 226290 gpgv_1.4.12-7+deb7u2_amd64.deb
 87a368d4ddf4257dd3abccdd27b23e4990606e26eb12b78b363f840ea0aa16da 352978 gnupg-udeb_1.4.12-7+deb7u2_amd64.udeb
 57dd7ca4cdf84fb7a4fa5d65566301592a99fe07d35c6c0587f06eb751707fd1 129652 gpgv-udeb_1.4.12-7+deb7u2_amd64.udeb
Files: 
 53b2da7ba7667bb4d360530d03adf8cf 1990 utils important gnupg_1.4.12-7+deb7u2.dsc
 6283ca4c8c75c6091bb6a6c3af98ee14 98415 utils important gnupg_1.4.12-7+deb7u2.debian.tar.gz
 d528e9d85f670b6735d88357c5e6088d 613792 utils extra gpgv-win32_1.4.12-7+deb7u2_all.deb
 018630966bb3a22fc1831290725755e2 1952650 utils important gnupg_1.4.12-7+deb7u2_amd64.deb
 52773d5fd773df9f22febfbf4794a33d 63406 utils optional gnupg-curl_1.4.12-7+deb7u2_amd64.deb
 705e339ef1940d502e6dcdf37afd0aa9 226290 utils important gpgv_1.4.12-7+deb7u2_amd64.deb
 dbdd8f02178f30bd3400cd2cdf026b69 352978 debian-installer extra gnupg-udeb_1.4.12-7+deb7u2_amd64.udeb
 a7ab7893100b9dcfaf74869e42826e69 129652 debian-installer extra gpgv-udeb_1.4.12-7+deb7u2_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJSVX3dAAoJEFb2GnlAHawE5CYH/Rm7+oQUqIPWXn/uQcIFUtoZ
lswpZFjLlfW2qwermrQAAH300zzu4workY0LBGnuYFkwWqHGFmiXCVvOswYIV502
ytfiLYLAVOlHrk1zL3PRVIO3HkGlIQnApE/ZQyRftcNmHs3DkK8/y/1B7u2hz7p/
9gTZsbW3iazAR9Lrd+c72yaWm74z/6nPmScCYtG3yQuHHs6QspAXXwc9hT7YJ0ne
vc+NS3BlFiLAO2WWQ1X9yNtHCJbVMTpTIRx54vUsu6GuIUDBE7u/+6SESKSL6G6Z
p2UNWV0dJQcAFK8hSEL77vWBzCbwHaVyEH+hwvumJg9jQhD7sEopyJtqA864SC0=
=uAb0
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 12 Oct 2013 19:57:54 GMT) Full text and rfc822 format available.

Notification sent to "Jérémy" <kcchouette@gmail.com>:
Bug acknowledged by developer. (Sat, 12 Oct 2013 19:57:54 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 Nov 2013 07:28:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:08:32 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.