[pkg-gnupg-maint] Bug#787139: gnupg2 versions less than 2.0.23 abort (core dump) on ECC keys when used with recent gcrypt
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 28 23:52:06 UTC 2015
Package: gnupg2
Version: 2.0.19-1
Severity: important
Control: forwarded -1 https://lists.gnupg.org/pipermail/gnupg-users/2015-May/053685.html
Control: fixed -1 2.0.23-1
Tags: patch upstream
User: pkg-gnupg-maint at lists.alioth.debian.org
Usertags: ecc wheezy
NIIBE Yutaka points out a potential DoS issue with :
> Another compatibility issue with ECC was reported to gnupg-users,
> and this is my post (the context is Ubuntu with GnuPG 2.0.22):
>
> https://lists.gnupg.org/pipermail/gnupg-users/2015-May/053685.html
>
> The situation is a bit complicated. It depends on libgcrypt. In
> GnuPG 2.0.23, it introduced compatibility work around to disables ECC
> (even when libgcrypt supports ECC).
>
> I think that squeeze-lts doesn't have this problem since libgcrypt in
> sqeeze-lts doesn't have ECC feature. wheezy-backports doesn't have
> this problem because its GnuPG is 2.0.25.
>
> wheezy has this particular issue because it's libgcrypt is new and
> GnuPG is old.
This is probably something that we should fix in a wheezy point release,
if there is going to be another one.
The upstream patch (applicable between versions 2.0.22 and 2.0.23 is at
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=6286d01ba33b963be30fbb4fba6f35f1b05acd17
I'm looking into what it would take to backport this to our 2.0.19
wheezy branch.
--dkg
More information about the pkg-gnupg-maint
mailing list