oss-sec mailing list archives

Re: CVE request: GnuPG-1

From: mancha <mancha1 () zoho com>
Date: Tue, 24 Jun 2014 05:53:28 +0000

On Tue, Jun 24, 2014 at 05:36:15AM +0000, mancha wrote:

GnuPG 1.4.17 released on 20140623 [1] fixes a security flaw, reported by
Olivier Levillain and Florian Maury, that can be exploited via crafted
input to cause a denial of service by triggering an infinite loop [2].

Please allocate a CVE identifier for this issue.

Many thanks.

--mancha

[1] http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html
[2] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=11fdfcf82bd8


This issue has also been corrected in the GnuPG-2 branch [3] though
there is not yet a point release which includes the fix. Contrary to my
subject line, the CVE request is for both GnuPG 1 & 2.

[3] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=014b2103fcb1

Attachment: _bin
Description:

Current thread:

CVE request: GnuPG-1 mancha (Jun 23)
- Re: CVE request: GnuPG-1 mancha (Jun 23)
  - Re: CVE request: GnuPG-1 Werner Koch (Jun 24)
  - Re: CVE request: GnuPG-1 Olivier Levillain (Jun 24)
  - Re: CVE request: GnuPG-1 cve-assign (Jun 24)