SB2014022106 - Gentoo update for GnuPG, Libgcrypt

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2012-6085)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet.

2) Information disclosure (CVE-ID: CVE-2013-4242)

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.

3) Cryptographic issues (CVE-ID: CVE-2013-4351)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.

4) Input validation error (CVE-ID: CVE-2013-4402)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/glsa/201402-24