Advisories » MGASA-2013-0299

Updated gnupg2 packages fix multiple vulnerabilities

Publication date: 09 Oct 2013
Modification date: 09 Oct 2013
Type: security
Affected Mageia releases : 2 , 3
CVE: CVE-2013-4351 , CVE-2013-4402

Description

Updated gnupg2 package fixes security vulnerabilities:

RFC 4880 permits OpenPGP keyholders to mark their primary keys and subkeys
with a "key flags" packet that indicates the capabilities of the key. These
are represented as a set of binary flags, including things like "This key may
be used to encrypt communications." If a key or subkey has this "key flags"
subpacket attached with all bits cleared (off), GnuPG currently treats the key
as having all bits set (on). While keys with this sort of marker are very rare
in the wild, GnuPG's misinterpretation of this subpacket could lead to a
breach of confidentiality or a mistaken identity verification (CVE-2013-4351).

Special crafted input data may be used to cause a denial of service against
GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages
ad infinitum (CVE-2013-4402).
                

References

• http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00002.html
• http://lists.opensuse.org/opensuse-updates/2013-09/msg00058.html
• https://bugs.mageia.org/show_bug.cgi?id=11306
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402

SRPMS

3/core

• gnupg2-2.0.19-3.2.mga3

2/core

• gnupg2-2.0.18-1.4.mga2