Updated gnupg2 packages fix multiple vulnerabilities
Publication date: 09 Oct 2013Modification date: 09 Oct 2013
Type: security
Affected Mageia releases : 2 , 3
CVE: CVE-2013-4351 , CVE-2013-4402
Description
Updated gnupg2 package fixes security vulnerabilities: RFC 4880 permits OpenPGP keyholders to mark their primary keys and subkeys with a "key flags" packet that indicates the capabilities of the key. These are represented as a set of binary flags, including things like "This key may be used to encrypt communications." If a key or subkey has this "key flags" subpacket attached with all bits cleared (off), GnuPG currently treats the key as having all bits set (on). While keys with this sort of marker are very rare in the wild, GnuPG's misinterpretation of this subpacket could lead to a breach of confidentiality or a mistaken identity verification (CVE-2013-4351). Special crafted input data may be used to cause a denial of service against GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages ad infinitum (CVE-2013-4402).
References
SRPMS
2/core
- gnupg2-2.0.18-1.4.mga2
3/core
- gnupg2-2.0.19-3.2.mga3