KB Sriram (kbsriram) reports: Versions of GnuPG <= 1.4.12 are vulnerable to memory access violations and public keyring database corruption when importing public keys that have been manipulated. An OpenPGP key can be fuzzed in such a way that gpg segfaults (or has other memory access violations) when importing the key. The key may also be fuzzed such that gpg reports no errors when examining the key (eg: "gpg the_bad_key.pkr") but importing it causes gpg to corrupt its public keyring database. The database corruption issue was first reported on Dec 6th, through the gpg bug tracking system: https://bugs.g10code.com/gnupg/issue1455 The subsequent memory access violation was discovered and reported in a private email with the maintainer on Dec 20th. A zip file with keys that causes segfaults and other errors is available at http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip and includes a log file that demonstrates the issues [on MacOS X and gpg 1.4.11] A new version of gpg -- 1.4.13 -- that addressed both these issues, was independently released by the maintainer on Dec 20th. The simplest solution is to upgrade all gpg installs to 1.4.13. [Workarounds: A corrupted database may be recovered by manually copying back the pubring.gpg~ backup file. Certain errors may also be prevented by never directly importing a key, but first just "looking" at the key (eg: "gpg bad_key.pkr"). However, this is not guaranteed to work in all cases; though upgrading to 1.4.13 does work for the issues reported.] Discovery: The problem was discovered during a byte-fuzzing test of OpenPGP certificates for an unrelated application. Each byte in turn was replaced by a random byte, and the modified certificate fed to the application to check that it handled errors correctly. Gpg was used as a control, but it itself turned out to have errors related to packet parsing. The errors are generally triggered when fuzzing the length field of OpenPGP packets, which cascades into subsequent errors in certain situations. External references: https://bugs.g10code.com/gnupg/issue1455 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=f0b33b6fb8e0586e9584a7a409dcc31263776a67
Proposing as NTH, this is a security issue in a key package which is used during installation. But low impact, so not a blocker per the policy.
Of course gnupg2-2.0.19 (current latest upstream on 2.0 branch) is affected as well.
Please note for Fedora bug #889440 "gnupg-1.4.13 is available"
Created attachment 671621 [details] GnuPG1-CVE-2012-6085.patch
Created attachment 671624 [details] GnuPG2-CVE-2012-6085.patch
According to Werner Koch a 2.0.20 release of GnuPG is planned that will include the fix for this (498882296ffac7987c644aaf2a0aa108a2925471) but was delayed due to the holidays/etc.
https://bugzilla.redhat.com/show_bug.cgi?id=891401 used for F18 NTH purposes.
gnupg2-2.0.19-7.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
gnupg-1.4.13-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
gnupg2-2.0.19-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Created gnupg2 tracking bugs for this issue Affects: epel-5 [bug 895850]
gnupg2-2.0.19-7.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
gnupg-1.4.13-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
gnupg-1.4.13-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Created gnupg2 tracking bugs for this issue: Affects: fedora-all [bug 1015968]
Created gnupg tracking bugs for this issue: Affects: fedora-all [bug 1016525]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1459 https://rhn.redhat.com/errata/RHSA-2013-1459.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1458 https://rhn.redhat.com/errata/RHSA-2013-1458.html
Statement: (none)