{
  "schema_version": "1.6.2",
  "id": "MGASA-2013-0299",
  "published": "2013-10-09T22:34:30Z",
  "modified": "2013-10-09T22:34:22Z",
  "summary": "Updated gnupg2 packages fix multiple vulnerabilities",
  "details": "Updated gnupg2 package fixes security vulnerabilities:\n\nRFC 4880 permits OpenPGP keyholders to mark their primary keys and subkeys\nwith a \"key flags\" packet that indicates the capabilities of the key. These\nare represented as a set of binary flags, including things like \"This key may\nbe used to encrypt communications.\" If a key or subkey has this \"key flags\"\nsubpacket attached with all bits cleared (off), GnuPG currently treats the key\nas having all bits set (on). While keys with this sort of marker are very rare\nin the wild, GnuPG's misinterpretation of this subpacket could lead to a\nbreach of confidentiality or a mistaken identity verification (CVE-2013-4351).\n\nSpecial crafted input data may be used to cause a denial of service against\nGPG. GPG can be forced to recursively parse certain parts of OpenPGP messages\nad infinitum (CVE-2013-4402).\n",
  "related": [
    "CVE-2013-4351",
    "CVE-2013-4402"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2013-0299.html"
    },
    {
      "type": "REPORT",
      "url": "http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00002.html"
    },
    {
      "type": "REPORT",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00058.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=11306"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:2",
        "name": "gnupg2",
        "purl": "pkg:rpm/mageia/gnupg2?arch=source&distro=mageia-2"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.18-1.4.mga2"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:3",
        "name": "gnupg2",
        "purl": "pkg:rpm/mageia/gnupg2?arch=source&distro=mageia-3"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.19-3.2.mga3"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}