[Pkg-gnupg-maint] Bug#778577: CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG

Salvatore Bonaccorso carnil at debian.org
Tue Feb 17 21:33:10 UTC 2015


Hi Daniel,

On Tue, Feb 17, 2015 at 12:26:51PM -0500, Daniel Kahn Gillmor wrote:
> On Tue 2015-02-17 00:27:20 -0500, Salvatore Bonaccorso wrote:
> > Control: fixed -1 2.1.2-1
> >
> > Hi Daniel,
> >
> > On Mon, Feb 16, 2015 at 06:09:18PM -0500, Daniel Kahn Gillmor wrote:
> >> Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck
> >> as part of the Fuzzing Project:
> >
> > Have you checked if gnupg 1.4.x is also affected by both of these
> > CVEs? We have marked gnupg as "undetermined" so far in the
> > security-tracker.
> 
> Yes, gpg 1.4.x is also affected.  In particular, CVE-2015-1606 is known
> to affect it.  The demonstration vector we have for CVE-2015-1607 is a
> keybox file, which is not supported by gpg 1.4.x, but the underlying fix
> (normalizing bitshift operations) seems like it should apply to 1.4.x as
> well.

Thanks, I'm updating the security tracker information right now.

> I'm not sure how to represent this in the BTS; should i clone this and
> reassign it to the gnupg package, or is there a way to make this bug
> report apply to both gnupg and gnupg2?

Yes, just clone this bug, reassign to src:gnupg and mark found
versions.

Thank you for your quick reply and confirmation!

Regards,
Salvatore



More information about the Pkg-gnupg-maint mailing list