User: Password:
|
|
Subscribe / Log in / New account

MeeGo alert MeeGo-SA-10:30 (gnupg2)

From:  "Ware, Ryan R" <ryan.r.ware@intel.com>
To:  "meego-security@meego.com" <meego-security@meego.com>
Subject:  [MeeGo-security] [MeeGo-SA-10:30.gnupg2] DoS or Arbitrary Code Execution via Crafted Certificate
Date:  Thu, 20 Jan 2011 11:24:59 -0700
Message-ID:  <60F048A7-C6DD-4220-9183-D7473AA8267D@intel.com>
Archive-link:  Article, Thread

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= MeeGo-SA-10:30.gnupg2 Security Advisory MeeGo Project Topic: DoS or Arbitrary Code Execution via Crafted Certificate Category: Security Module: gnupg2 Announced: October 9, 2010 Affects: MeeGo 1.0 Corrected: October 9, 2010 MeeGo BID: 5115 CVE: CVE-2010-2547 For general information regarding MeeGo Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.MeeGo.com/>. I. Background GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as described by several RFCs. II. Problem Description CVE-2010-2547: Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature. CVSS v2 Base: 5.1 (MEDIUM) Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism III. Impact CVE-2010-2547: Unauthorized discloseure of information, modification or disruption of service due to resource management errors (CWE-399) IV. Workaround None V. Solution Update to package gnupg2-2.0.14-3.1 or later. VI. References http://bugs.meego.com/show_bug.cgi?id=5115 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://cwe.mitre.org/data/definitions/399.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (Darwin) iQEcBAEBAgAGBQJNN6kIAAoJEEsJm1wYvCMbQu0H/3bRmc9fOQ0xu7m0CgzSGR19 wlS6HMluRPsm/A+RG/bDqPAl792Y+kxDKLMqZedD9NbOHmRiAPrV1yETrlYJRa8R lJcal/2rSPpmano96eOcll/RCt+BwIYqfn4whOuZhgu+KkQzX7MCDcqSU3v0k9rT H0jU/Ecb8JB3o+rGrzKFR1YzIflG7NrN20NfOcFMbi9lXsoSJhNfRug4X9R5TpS2 4+/8qYA7U4WChJURCAXq5AWcvaZdDhJ5AWd5CJlRAy64BhH6k1GEUbCJPiR9nOoE OkIlLr1YIXY8VCk8+6vwcTB0vkxzM9g38SsyhgWqPLMpHyQNcAzTRybO2U4E8XE= =FKJw -----END PGP SIGNATURE----- _______________________________________________ MeeGo-security mailing list MeeGo-security@meego.com http://lists.meego.com/listinfo/meego-security


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds