GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jul 16, 2014 6:26 pm Post subject: [ GLSA 201407-04 ] GnuPG: Denial of Service |
|
|
Gentoo Linux Security Advisory
Title: GnuPG: Denial of Service (GLSA 201407-04)
Severity: normal
Exploitable: local, remote
Date: July 16, 2014
Bug(s): #514718
ID: 201407-04
Synopsis
A vulnerability in GnuPG can lead to a Denial of Service condition.
Background
The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of
cryptographic software.
Affected Packages
Package: app-crypt/gnupg
Vulnerable: < 2.0.24
Unaffected: >= 2.0.24
Unaffected: >= 1.4.17 < 1.4.18
Unaffected: >= 1.4.18 < 1.4.19
Unaffected: >= 1.4.19 < 1.4.20
Unaffected: >= 1.4.20 < 1.4.21
Unaffected: >= 1.4.21 < 1.4.22
Architectures: All supported architectures
Description
GnuPG does not properly handle a specially crated compressed packet
resulting in an infinite loop.
Impact
A context-dependent attacker can cause a Denial of Service.
Workaround
There is no known workaround at this time.
Resolution
All GnuPG 2.0 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.24"
| All GnuPG 1.4 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.17"
|
References
CVE-2014-4617 |
|