lp:ubuntu/hoary-security/gnupg
- Get this branch:
- bzr branch lp:ubuntu/hoary-security/gnupg
Branch merges
Branch information
Recent revisions
- 7. By Martin Pitt
-
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/ 27_comment_ control_ overflow. dpatch:
- Fix buffer overflows in parse_comment() and parse_gpg_control( ).
- Patch extracted from stable 1.4.5 release.
- Reproducer:
perl -e 'print "\xfd\xff\xff\xff\ xff\xfe" '| gpg --no-armor
- Credit: Evgeny Legerov
- CVE-2006-3746 - 6. By Martin Pitt
-
* SECURITY UPDATE: Crash and possibly arbitrary code execution.
* Add debian/patches/ 26_user_ id_overflow. dpatch:
- Cap size of user ID packets to avoid overflow.
- Patch ported from Debian's 1.4.3-2, originally from upstream SVN.
- CVE-2006-3082 - 5. By Martin Pitt
-
* SECURITY UPDATE: Fix signature verification bypass.
* Add debian/patches/ 24_multisig. dpatch:
- Apply upstream patch to fix correct verification on invalid multiple
signatures.
- CVE-2006-0049 - 4. By Martin Pitt
-
* SECURITY UPDATE: Fix potential signature verification bypass.
* Add debian/patches/ 23_verify_ exit_code. dpatch:
- Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway.
- Upstream patch from 1.4.2.1.
- CVE-2006-0455 - 3. By Martin Pitt
-
* SECURITY UPDATE: Fix possible encryption weakening.
* Add debian/patches/ 21_disable_ quick_scan. dpatch:
- Disable quick scan feature to avoid being vulnerable to Serge Mister'
and Robert Zuccherato's timing attack.
- CAN-2005-0366 - 2. By Martin Pitt
-
debian/rules: Call pkgstriptransla
tions if present (the package does not
use debhelper, thus it does not happen automatically).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/lucid/gnupg