|
|
Log in / Subscribe / Register

gpg2: information disclosure

Package(s):gpg2 CVE #(s):CVE-2013-4351
Created:September 27, 2013 Updated:November 13, 2013
Description:

From the openSUSE bug report:

RFC 4880 permits OpenPGP keyholders to mark their primary keys and subkeys with a "key flags" packet that indicates the capabilities of the key [0]. These are represented as a set of binary flags, including things like "This key may be used to encrypt communications."

If a key or subkey has this "key flags" subpacket attached with all bits cleared (off), GnuPG currently treats the key as having all bits set (on). While keys with this sort of marker are very rare in the wild, GnuPG's misinterpretation of this subpacket could lead to a breach of confidentiality or a mistaken identity verification.

Alerts:
Gentoo 201402-24 gnupg 2014-02-21
Fedora FEDORA-2013-18647 gnupg 2013-11-13
Scientific Linux SLSA-2013:1459-1 gnupg2 2013-10-24
Scientific Linux SLSA-2013:1458-1 gnupg 2013-10-24
Oracle ELSA-2013-1459 gnupg2 2013-10-24
Oracle ELSA-2013-1459 gnupg2 2013-10-24
Oracle ELSA-2013-1458 gnupg 2013-10-24
CentOS CESA-2013:1459 gnupg2 2013-10-25
CentOS CESA-2013:1459 gnupg2 2013-10-24
CentOS CESA-2013:1458 gnupg 2013-10-25
Red Hat RHSA-2013:1459-01 gnupg2 2013-10-24
Red Hat RHSA-2013:1458-01 gnupg 2013-10-24
Fedora FEDORA-2013-18676 gnupg 2013-10-12
Debian DSA-2774-1 gnupg2 2013-10-10
Debian DSA-2773-1 gnupg 2013-10-10
Ubuntu USN-1987-1 gnupg, gnupg2 2013-10-09
Mandriva MDVSA-2013:247 gnupg 2013-10-10
Mageia MGASA-2013-0299 gnupg2 2013-10-10
openSUSE openSUSE-SU-2013:1532-1 gpg2 2013-10-08
openSUSE openSUSE-SU-2013:1526-1 gpg2 2013-10-06
openSUSE openSUSE-SU-2013:1494-1 gpg2 2013-09-27
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds