[Pkg-gnupg-maint] Bug#778577: CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Feb 17 17:26:51 UTC 2015
On Tue 2015-02-17 00:27:20 -0500, Salvatore Bonaccorso wrote:
> Control: fixed -1 2.1.2-1
>
> Hi Daniel,
>
> On Mon, Feb 16, 2015 at 06:09:18PM -0500, Daniel Kahn Gillmor wrote:
>> Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck
>> as part of the Fuzzing Project:
>
> Have you checked if gnupg 1.4.x is also affected by both of these
> CVEs? We have marked gnupg as "undetermined" so far in the
> security-tracker.
Yes, gpg 1.4.x is also affected. In particular, CVE-2015-1606 is known
to affect it. The demonstration vector we have for CVE-2015-1607 is a
keybox file, which is not supported by gpg 1.4.x, but the underlying fix
(normalizing bitshift operations) seems like it should apply to 1.4.x as
well.
I'm not sure how to represent this in the BTS; should i clone this and
reassign it to the gnupg package, or is there a way to make this bug
report apply to both gnupg and gnupg2?
I'm working today on getting patches for both the 2.0.x and 1.4.x
branches.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20150217/91ef3c31/attachment.sig>
More information about the Pkg-gnupg-maint
mailing list