Bug 2103242 - Status line injection via long notation name
Summary: Status line injection via long notation name
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnupg2
Version: 35
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-01 18:30 UTC by Demi Marie Obenour
Modified: 2022-07-22 05:09 UTC (History)
6 users (show)

Fixed In Version: gnupg2-2.3.6-2.fc36 gnupg2-2.3.4-2.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-07 01:15:55 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 1014157 0 None None None 2022-07-01 18:30:20 UTC
Red Hat Issue Tracker FC-493 0 None None None 2022-07-01 18:35:41 UTC

Description Demi Marie Obenour 2022-07-01 18:30:20 UTC
Description of problem:
GnuPG is vulnerable to status line injection via a long notation name.

Version-Release number of selected component (if applicable):
gnupg2-2.3.4-1.fc35

How reproducible:
100%

Steps to Reproduce:
See https://www.openwall.com/lists/oss-security/2022/06/30/1

Actual results:
Fedora’s GnuPG is vulnerable.

Expected results:
Fedora’s GnuPG is not vulnerable.

Additional info:
https://www.openwall.com/lists/oss-security/2022/06/30/1

Comment 1 Demi Marie Obenour 2022-07-02 17:24:19 UTC
This is CVE-2022-34903

Comment 2 Fedora Update System 2022-07-04 10:12:44 UTC
FEDORA-2022-aa14d396dd has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-aa14d396dd

Comment 3 Fedora Update System 2022-07-05 16:41:52 UTC
FEDORA-2022-aa14d396dd has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-aa14d396dd`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-aa14d396dd

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Demi Marie Obenour 2022-07-06 05:15:09 UTC
@jjelen would it be possible to patch this in Fedora 35 too?

Comment 5 Jakub Jelen 2022-07-06 18:05:08 UTC
Its building: https://koji.fedoraproject.org/koji/taskinfo?taskID=89159649

Comment 6 Fedora Update System 2022-07-06 18:13:13 UTC
FEDORA-2022-1124e5882d has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-1124e5882d

Comment 7 Fedora Update System 2022-07-07 01:15:55 UTC
FEDORA-2022-aa14d396dd has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Fedora Update System 2022-07-07 02:06:31 UTC
FEDORA-2022-1124e5882d has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-1124e5882d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1124e5882d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-07-22 05:09:47 UTC
FEDORA-2022-1124e5882d has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.