oss-sec mailing list archives

Re: CVE request: GnuPG Import Key Memory Corruption

From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 27 Mar 2008 18:39:16 -0400 (EDT)


======================================================
Name: CVE-2008-1530
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1530
Reference: MISC:http://www.ocert.org/advisories/ocert-2008-1.html
Reference: CONFIRM:https://bugs.g10code.com/gnupg/issue894
Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=214990

GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via crafted
duplicate keys that are imported from key servers, which triggers
"memory corruption around deduplication of user IDs."

Current thread:

CVE request: GnuPG Import Key Memory Corruption Robert Buchholz (Mar 26)
- Re: CVE request: GnuPG Import Key Memory Corruption Steven M. Christey (Mar 27)