Ubuntu
gnupg package

lp:ubuntu/hoary-security/gnupg

Hoary (5.04)
hoary-security

Created by James Westby on 2009-12-02 and last modified on 2009-12-02

Get this branch:: bzr branch lp:ubuntu/hoary-security/gnupg

Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

No branches dependent on this one.

Related bugs

Link a bug report

Related blueprints

Branch information

Owner:: Ubuntu branches

Review team:: Ubuntu Development Team

Status:: Development

Recent revisions

7. By Martin Pitt on 2006-08-03: * SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/27_comment_control_overflow.dpatch:
  - Fix buffer overflows in parse_comment() and parse_gpg_control().
  - Patch extracted from stable 1.4.5 release.
  - Reproducer:
    perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor
  - Credit: Evgeny Legerov
  - CVE-2006-3746
6. By Martin Pitt on 2006-06-26: * SECURITY UPDATE: Crash and possibly arbitrary code execution.
* Add debian/patches/26_user_id_overflow.dpatch:
  - Cap size of user ID packets to avoid overflow.
  - Patch ported from Debian's 1.4.3-2, originally from upstream SVN.
  - CVE-2006-3082
5. By Martin Pitt on 2006-03-13: * SECURITY UPDATE: Fix signature verification bypass.
* Add debian/patches/24_multisig.dpatch:
  - Apply upstream patch to fix correct verification on invalid multiple
    signatures.
  - CVE-2006-0049
4. By Martin Pitt on 2006-02-17: * SECURITY UPDATE: Fix potential signature verification bypass.
* Add debian/patches/23_verify_exit_code.dpatch:
  - Security fix for a verification weakness in gpgv. Some input
    could lead to gpgv exiting with 0 even if the detached signature
    file did not carry any signature. This is not as fatal as it
    might seem because the suggestion as always been not to rely on
    th exit code but to parse the --status-fd messages. However it
    is likely that gpgv is used in that simplified way and thus we
    do this release. Same problem with "gpg --verify" but nobody
    should have used this for signature verification without
    checking the status codes anyway.
  - Upstream patch from 1.4.2.1.
  - CVE-2006-0455
3. By Martin Pitt on 2005-08-19: * SECURITY UPDATE: Fix possible encryption weakening.
* Add debian/patches/21_disable_quick_scan.dpatch:
  - Disable quick scan feature to avoid being vulnerable to Serge Mister'
    and Robert Zuccherato's timing attack.
  - CAN-2005-0366
2. By Martin Pitt on 2005-03-18: debian/rules: Call pkgstriptranslations if present (the package does not
use debhelper, thus it does not happen automatically).
1. By Martin Pitt on 2005-03-18: Import upstream version 1.2.5

Branch metadata

Branch format:: Branch format 7

Repository format:: Bazaar repository format 2a (needs bzr 1.16 or later)

Stacked on:: lp:ubuntu/lucid/gnupg

This branch contains Public information

Everyone can see this information.

Subscribers

James Westby

Ubuntugnupg package