oss-sec mailing list archives
Re: CVE request: GnuPG-1
From: Olivier Levillain <olivier.levillain () ssi gouv fr>
Date: Tue, 24 Jun 2014 13:07:26 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Thank you for asking for a CVE. Could you please also mention Jean-René Reinhard, who discovered the flaw Florian and I reported ? Best regards, Olivier Levillain Le 24/06/2014 07:53, mancha a écrit :
On Tue, Jun 24, 2014 at 05:36:15AM +0000, mancha wrote:GnuPG 1.4.17 released on 20140623 [1] fixes a security flaw, reported by Olivier Levillain and Florian Maury, that can be exploited via crafted input to cause a denial of service by triggering an infinite loop [2]. Please allocate a CVE identifier for this issue. Many thanks. --mancha [1] http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html [2]
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=11fdfcf82bd8
This issue has also been corrected in the GnuPG-2 branch [3] though there is not yet a point release which includes the fix. Contrary to my subject line, the CVE request is for both GnuPG 1 & 2. [3]
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=014b2103fcb1
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTqVvuAAoJEACa4ygttUrs19EQAJq3FaIBuczcE0qL3DIh6S0t MVBCLItOBfK+Ov5rZJqxE4tZQaVC3HIA76DnuxxyD0YGeSoxqnSLXlfANpc4E/vT Si8m9hVo8/O7crWrXWCMiuAkIgQBY7dsij9pAPezqnWRak28yl9+jFmciQ/XIP5k S/2Ut07JdZxBoPGe/vd1o3M0FcOitFtk6KfjhQs3bo+ko4pO5k+mfon4qhzL31AV oaxRctWyy4jBF5AiPI5u9Pe99G3EaZEnc4GogjaIO+WsVolbHqz9/lGtwJnPe4wC lUxJOG9wzHdyrZeHW/Up5R4UNW+C4Xy6jZ8K4OvmsDbTcMJ6nppjWEf7DUVSv6UJ fFW8CtuFsdPmwHMLG79J2tyrnLV5V99rxVDGOIO9buBnwd17tC+Oo2jtOsWv7BHS c53j++wzEcPOuaWogaw9USNK/Twd5bJAqVnv3GgaEwClgbORZuILSmfFWEiajDfb +8vqtobtLlTOhS4B9LgmmNVlocx5GKxHzYG0TlTuLWtdV0YQb8sCdgkXNQCr+8qP ts7tU58qAz6VNdOK4YLp/rCIuHFvIiroIdN/6JPsSQjD1yk6cm93/Gc4Rx+i1WVW wLTuffOtKmf5PU5+GVah33+Ylkrp7lyLZyDm08ouo1MY0CcrczM4GsTtjv2hX9xk Rej60LwtFS5rS9+3n21f =JQvu -----END PGP SIGNATURE-----
Current thread:
- CVE request: GnuPG-1 mancha (Jun 23)
- Re: CVE request: GnuPG-1 mancha (Jun 23)
- Re: CVE request: GnuPG-1 Werner Koch (Jun 24)
- Re: CVE request: GnuPG-1 Olivier Levillain (Jun 24)
- Re: CVE request: GnuPG-1 cve-assign (Jun 24)
- Re: CVE request: GnuPG-1 mancha (Jun 23)