SB2014072214 - Input validation error in gnupg (Alpine package)
Published: July 22, 2014
Security Bulletin ID
SB2014072214
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2014-4617)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=c2e6588bed21e706f32effde964aac688931a9a6
- https://git.alpinelinux.org/aports/commit/?id=629a432eae03b5f2a895567c4e9de7b5e72e42a3
- https://git.alpinelinux.org/aports/commit/?id=eaae6926b62f511e01bc3ed0356dbcd6c7981201
- https://git.alpinelinux.org/aports/commit/?id=4eb7a43f512c0603f2b69d3f26e80004afd6ff61