Bug#697251: marked as done (gnupg2: gnupg key import memory corruption)

[Debian Bug Tracking System]

Your message dated Fri, 04 Jan 2013 06:32:36 +0000
with message-id <e1tr0py-0005vq...@franck.debian.org>
and subject line Bug#697251: fixed in gnupg2 2.0.19-2
has caused the Debian Bug report #697251,
regarding gnupg2: gnupg key import memory corruption
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
697251: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697251
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: gnupg2
Version: 2.0.19-1
Severity: critical
Tags: security
Justification: root security hole


Hi.

This is a follow up for #697108 and CVE-2012-6085.

While it seems that all world fixes this only for gpg 1.4.x Werner's
bug entry[0,1] implies that 2.x is also affected.
Could you please have a look?


btw: Marking as root security hole, because people may use gpg2 to
e.g. manually verify packages before installing them. Yeah I know,... apt
would use gpg1 where it is already fixed. But better too high severity, than
sorry ;)


Cheers,
Chris.

[0] https://bugs.g10code.com/gnupg/issue1455
[1] https://bugs.g10code.com/gnupg/msg4493

--- End Message ---

--- Begin Message ---

Source: gnupg2
Source-Version: 2.0.19-2

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <e...@debian.org> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 04 Jan 2013 00:56:52 -0500
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg2
Architecture: source amd64
Version: 2.0.19-2
Distribution: unstable
Urgency: high
Maintainer: Eric Dorland <e...@debian.org>
Changed-By: Eric Dorland <e...@debian.org>
Description: 
 gnupg-agent - GNU privacy guard - password agent
 gnupg2     - GNU privacy guard - a free PGP replacement (new v2.x)
 gpgsm      - GNU privacy guard - S/MIME version
 scdaemon   - GNU privacy guard - smart card support
Closes: 697251
Changes: 
 gnupg2 (2.0.19-2) unstable; urgency=high
 .
   * debian/patches/02-cve-2012-6085.diff: Patch from upstream to fix
     CVE-2012-6085, "gnupg key import memory corruption". (Closes: #697251)
   * debian/control: Use canonical addresses for VCS.
   * debian/control: Fix scdaemon short description.
Checksums-Sha1: 
 c4350fdae252a72de990f17ffed0343b2b8245f4 1595 gnupg2_2.0.19-2.dsc
 80812ec94e6edf0c0695ec97c01a7f06d3842c5c 16034 gnupg2_2.0.19-2.debian.tar.bz2
 aa8398d1268e0a054d5f95d48c1e37e8fa0929e0 464876 gnupg-agent_2.0.19-2_amd64.deb
 372a509e74d6e1093397b06ca12267f981ede106 217540 scdaemon_2.0.19-2_amd64.deb
 8f282a3acde493fa6f74493346581c7be63e5041 255960 gpgsm_2.0.19-2_amd64.deb
 32b9abde748c4eb23535e3961e2bebc3d172a7ca 2283718 gnupg2_2.0.19-2_amd64.deb
Checksums-Sha256: 
 fa215f2ad0922b254e70c02bcf1026ba8a30ddac11f5b115a48c3ea7c9499af8 1595 
gnupg2_2.0.19-2.dsc
 9270596930bedbbe8a8d69152793c315e5188c28765f0ffcb21789ecd6b29aee 16034 
gnupg2_2.0.19-2.debian.tar.bz2
 ebbd151c24dfeeca511711fdaddb58fd0c27b718c4430b7cb7b04de7bcdc52eb 464876 
gnupg-agent_2.0.19-2_amd64.deb
 d5d81630867b7f4da2699eee6606cdc5f4477776d703a9a9861f33c0549bb8e0 217540 
scdaemon_2.0.19-2_amd64.deb
 2db6b3bd9164385cfc2730b4e22c37c59ace1cced9c748dcffc5102fea014265 255960 
gpgsm_2.0.19-2_amd64.deb
 ba13b33b0921ac0451956d5df213ff9e0981b34b7307201dfd93b4777ea011e4 2283718 
gnupg2_2.0.19-2_amd64.deb
Files: 
 4dff28834bec7f4701999df6e646fba7 1595 utils optional gnupg2_2.0.19-2.dsc
 d6080123c70f90947485723b175da541 16034 utils optional 
gnupg2_2.0.19-2.debian.tar.bz2
 d6b741c37dca5acf12511eba4cd6730e 464876 utils optional 
gnupg-agent_2.0.19-2_amd64.deb
 6b94af9ea60a84cea0f0eff77411355b 217540 utils optional 
scdaemon_2.0.19-2_amd64.deb
 1cd1abd11ab1e2ef70db2447d6e2037c 255960 utils optional gpgsm_2.0.19-2_amd64.deb
 200cde741c0d711a2291ab850962028d 2283718 utils optional 
gnupg2_2.0.19-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDmdO4ACgkQYemOzxbZcMazlACgpudqWwnpj63j7upoGUi1K10u
seoAniNvNBQmJfMJPyTvRo8q58uoErd/
=FwmR
-----END PGP SIGNATURE-----

--- End Message ---