[pkg-gnupg-maint] Bug#1014157: gnupg: vulnerable to status injection
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jul 1 06:58:31 BST 2022
Package: gnupg
Version: 2.2.25-2
Control: tag -1 + security patch
Control: forward -1 https://dev.gnupg.org/T6027
Control: affects -1 libgpgme11
Control: found 2.2.27-2+deb11u1
over in https://www.openwall.com/lists/oss-security/2022/06/30/1 Demi
Marie Obenour reports a failed buffer overflow that has the result that
anyone using gpgme (and probably other tooling) cannot trust the results
of signature validation.
I've confirmed that the reported bug is present both in bullseye
(2.2.27-2+deb11u1) and unstable :(
The attached patch (pulled from upstream git) fixes the matter that was
present in 2.2.25-2. I'm in the process of testing it on bullseye.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch
Type: text/x-diff
Size: 1395 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20220701/2f1a44e3/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20220701/2f1a44e3/attachment.sig>
More information about the pkg-gnupg-maint
mailing list