Werner Koch reports: We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.22. This is a *security fix* release and all users are advised to updated to this version. See below for the impact of the problem. What's New in 2.0.22 ==================== * Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402] Impact of the security problem ============================== Special crafted input data may be used to cause a denial of service against GPG (GnuPG's OpenPGP part) and some other OpenPGP implementations. All systems using GPG to process incoming data are affected. Taylor R Campbell invented a neat trick to generate OpenPGP packages to force GPG to recursively parse certain parts of OpenPGP messages ad infinitum. As a workaround a tight "ulimit -v" setting may be used to mitigate the problem. Sample input data to trigger this problem has not yet been seen in the wild. Details of the attack will eventually be published by its inventor. A fixed release of the GnuPG 1.4 series will be releases soon.
Acknowledgements: Red Hat would like to thank Werner Koch for reporting this issue. Upstream acknowledges Taylor R Campbell as the original reporter.
Public via: http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000334.html
Created gnupg2 tracking bugs for this issue: Affects: fedora-all [bug 1015968] Affects: epel-5 [bug 1015969]
Created gnupg tracking bugs for this issue: Affects: fedora-all [bug 1015967]
Also note the following announcement for gnupg2: http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html
gnupg-1.4.15-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Write up from the original reporter can be found in: http://mumble.net/~campbell/blag.txt http://thread.gmane.org/gmane.comp.security.oss.general/11247 (copy of the relevant parts)
gnupg-1.4.15-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
gnupg2-2.0.22-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
gnupg2-2.0.22-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1459 https://rhn.redhat.com/errata/RHSA-2013-1459.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1458 https://rhn.redhat.com/errata/RHSA-2013-1458.html
gnupg2-2.0.22-1.fc18, libgpg-error-1.11-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
gnupg-1.4.15-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.