Bug#472928: marked as done (gnupg2: CVE-2008-1530 memory corruption via crafted key file)

[Debian Bug Tracking System]

Your message dated Sat, 29 Mar 2008 09:03:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#472928: fixed in gnupg2 2.0.9-1
has caused the Debian Bug report #472928,
regarding gnupg2: CVE-2008-1530 memory corruption via crafted key file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
472928: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472928
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: gnupg2
Version: 2.0.8-1
Severity: grave
Tags: security
Justification: user security hole

http://www.ocert.org/advisories/ocert-2008-1.html

It's fixed in 2.0.9, Sarge and Etch are not affected. There's no CVE yet.

Cheers,
        Moritz

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages gnupg2 depends on:
ii  libbz2-1.0            1.0.5-0.1          high-quality block-sorting file co
ii  libc6                 2.7-9              GNU C Library: Shared libraries
ii  libcurl3-gnutls       7.18.0-1           Multi-protocol file transfer libra
ii  libgcrypt11           1.4.0-3            LGPL Crypto library - runtime libr
ii  libgpg-error0         1.4-2              library for common error values an
ii  libkrb53              1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
ii  libksba8              1.0.3-1            X.509 and CMS support library
ii  libreadline5          5.2-3              GNU readline and history libraries
ii  zlib1g                1:1.2.3.3.dfsg-11  compression library - runtime

Versions of packages gnupg2 recommends:
ii  libldap2                2.1.30.dfsg-13.5 OpenLDAP libraries

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: gnupg2
Source-Version: 2.0.9-1

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive:

gnupg-agent_2.0.9-1_amd64.deb
  to pool/main/g/gnupg2/gnupg-agent_2.0.9-1_amd64.deb
gnupg2_2.0.9-1.diff.gz
  to pool/main/g/gnupg2/gnupg2_2.0.9-1.diff.gz
gnupg2_2.0.9-1.dsc
  to pool/main/g/gnupg2/gnupg2_2.0.9-1.dsc
gnupg2_2.0.9-1_amd64.deb
  to pool/main/g/gnupg2/gnupg2_2.0.9-1_amd64.deb
gnupg2_2.0.9.orig.tar.gz
  to pool/main/g/gnupg2/gnupg2_2.0.9.orig.tar.gz
gpgsm_2.0.9-1_amd64.deb
  to pool/main/g/gnupg2/gpgsm_2.0.9-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <[EMAIL PROTECTED]> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 29 Mar 2008 03:21:21 -0400
Source: gnupg2
Binary: gnupg-agent gpgsm gnupg2
Architecture: source amd64
Version: 2.0.9-1
Distribution: unstable
Urgency: low
Maintainer: Eric Dorland <[EMAIL PROTECTED]>
Changed-By: Eric Dorland <[EMAIL PROTECTED]>
Description: 
 gnupg-agent - GNU privacy guard - password agent
 gnupg2     - GNU privacy guard - a free PGP replacement
 gpgsm      - GNU privacy guard - S/MIME version
Closes: 472928
Changes: 
 gnupg2 (2.0.9-1) unstable; urgency=low
 .
   * New upstream release. Fixes CVE-2008-1530, Key import memory corruption.
     (Closes: #472928)
   * debian/rules: Don't ignore status of make distclean, just check for
     the existance of the Makefile.
Files: 
 01fcf3190620c59e3f841f28a9efe662 970 utils optional gnupg2_2.0.9-1.dsc
 3b6b1742509f396d51528e0cd4c76a13 5198703 utils optional 
gnupg2_2.0.9.orig.tar.gz
 57216c662fdfe9fd1f0e892a281f7089 38347 utils optional gnupg2_2.0.9-1.diff.gz
 983bbc8892d1dc420f679b55f5aadb7f 310702 utils optional 
gnupg-agent_2.0.9-1_amd64.deb
 3cec607f4b52e24355558da886f33588 454866 utils optional gpgsm_2.0.9-1_amd64.deb
 c78c2285b9f80e892d305b7067e32da7 2155384 utils optional 
gnupg2_2.0.9-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7fLmYemOzxbZcMYRAvQWAKCiv0jqbPZqSTUFoeko2ZKUclpycACgxQJX
OwBl5Dt0cdsXy8QNOtuVjKU=
=dP6x
-----END PGP SIGNATURE-----

--- End Message ---