Your message dated Mon, 04 Jul 2022 07:32:07 +0000
with message-id <e1o8gyx-000byo...@fasolo.debian.org>
and subject line Bug#1014157: fixed in gnupg2 2.2.27-2+deb11u2
has caused the Debian Bug report #1014157,
regarding gnupg: vulnerable to status injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1014157: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014157
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gnupg
Version: 2.2.25-2
Control: tag -1 + security patch
Control: forward -1 https://dev.gnupg.org/T6027
Control: affects -1 libgpgme11
Control: found 2.2.27-2+deb11u1
over in https://www.openwall.com/lists/oss-security/2022/06/30/1 Demi
Marie Obenour reports a failed buffer overflow that has the result that
anyone using gpgme (and probably other tooling) cannot trust the results
of signature validation.
I've confirmed that the reported bug is present both in bullseye
(2.2.27-2+deb11u1) and unstable :(
The attached patch (pulled from upstream git) fixes the matter that was
present in 2.2.25-2. I'm in the process of testing it on bullseye.
--dkg
From: Werner Koch <w...@gnupg.org>
Date: Tue, 14 Jun 2022 11:33:27 +0200
Subject: g10: Fix garbled status messages in NOTATION_DATA
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
(cherry picked from commit 34c649b3601383cd11dbc76221747ec16fd68e1b)
---
g10/cpr.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/g10/cpr.c b/g10/cpr.c
index d502e8b..bc4b715 100644
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
}
first = 0;
}
- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
+ for (esc=0, s=buffer, n=len; n; s++, n--)
{
if (*s == '%' || *(const byte*)s <= lower_limit
|| *(const byte*)s == 127 )
esc = 1;
if (wrap && ++count > wrap)
- {
- dowrap=1;
- break;
- }
- }
- if (esc)
- {
- s--; n++;
+ dowrap=1;
+ if (esc || dowrap)
+ break;
}
if (s != buffer)
es_fwrite (buffer, s-buffer, 1, statusfp);
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.2.27-2+deb11u2
Done: Daniel Kahn Gillmor <d...@fifthhorseman.net>
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1014...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated gnupg2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Jul 2022 03:03:46 -0400
Source: gnupg2
Architecture: source
Version: 2.2.27-2+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Closes: 1014157
Changes:
gnupg2 (2.2.27-2+deb11u2) bullseye-security; urgency=high
.
* fix broken status line (Closes: #1014157)
Checksums-Sha1:
e67929889243ae3100ce0b52f76bada2361c62c9 3322 gnupg2_2.2.27-2+deb11u2.dsc
d928d4bd0808ffb8fe20d1161501401d5d389458 7191555 gnupg2_2.2.27.orig.tar.bz2
7fc979ac1633b07f7ccb2fa06150402935726b05 119 gnupg2_2.2.27.orig.tar.bz2.asc
6db567be004ab69ce5f8496e2d62060a90363157 63960
gnupg2_2.2.27-2+deb11u2.debian.tar.xz
c5477552fcf4468b78985720a7adb690037abb74 10471
gnupg2_2.2.27-2+deb11u2_source.buildinfo
Checksums-Sha256:
a334ffaa6c078907e64d990c469873ec883abcbbc2ca3911e4f3072c50d33eb8 3322
gnupg2_2.2.27-2+deb11u2.dsc
34e60009014ea16402069136e0a5f63d9b65f90096244975db5cea74b3d02399 7191555
gnupg2_2.2.27.orig.tar.bz2
2b44fd82da223cb629062b9c8840d92698c003be8531fc393c38f97b28cae2a4 119
gnupg2_2.2.27.orig.tar.bz2.asc
b35c6a717d7f79cfd1a7468436721ca9c9211f70d10216e22523478094670a7b 63960
gnupg2_2.2.27-2+deb11u2.debian.tar.xz
0dfbbec19de88fc07ed814d4cb9ce1a34febaa6a6bc5dee0bcae431bd7a8cb8a 10471
gnupg2_2.2.27-2+deb11u2_source.buildinfo
Files:
15907df784700315a588eb1788fdd4dc 3322 utils optional
gnupg2_2.2.27-2+deb11u2.dsc
a9c002b5356103c97412955a1956ae0c 7191555 utils optional
gnupg2_2.2.27.orig.tar.bz2
3a7ebb524a333b41032765eb651ea032 119 utils optional
gnupg2_2.2.27.orig.tar.bz2.asc
1062344355df19f937226cba648c4098 63960 utils optional
gnupg2_2.2.27-2+deb11u2.debian.tar.xz
13b362bbbee27b945efbe3f8737bd7f2 10471 utils optional
gnupg2_2.2.27-2+deb11u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYr8HvQAKCRA+nXFzcd5W
XH8dAP95UleHZdbuXCzj9cH0aMRnC9BbF933YlQ/dkuPCQMePQD+Lt6UvOeIxnY6
XNzt3NAK8o9Y/jzBACTedllkdZMhRAo=
=gkr5
-----END PGP SIGNATURE-----
--- End Message ---
