SB2013101003 - Cryptographic issues in GNU GnuPG
Published: October 10, 2013 Updated: August 3, 2020
Security Bulletin ID
SB2013101003
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2013-4351)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html
- http://rhn.redhat.com/errata/RHSA-2013-1459.html
- http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138
- http://ubuntu.com/usn/usn-1987-1
- http://www.debian.org/security/2013/dsa-2773
- http://www.debian.org/security/2013/dsa-2774
- http://www.openwall.com/lists/oss-security/2013/09/13/4
- https://bugzilla.redhat.com/show_bug.cgi?id=1010137