Rapid7 Vulnerability & Exploit Database

RHSA-2013:1459: gnupg2 security update

Back to Search

RHSA-2013:1459: gnupg2 security update

Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
10/09/2013
Created
07/25/2018
Added
10/28/2013
Modified
07/04/2017

Description

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data andcreating digital signatures, compliant with the proposed OpenPGP Internetstandard and the S/MIME standard.A denial of service flaw was found in the way GnuPG parsed certaincompressed OpenPGP packets. An attacker could use this flaw to sendspecially crafted input data to GnuPG, making GnuPG enter an infinite loopwhen parsing data. (CVE-2013-4402)It was found that importing a corrupted public key into a GnuPG keyringdatabase corrupted that keyring. An attacker could use this flaw to trick alocal user into importing a specially crafted public key into their keyringdatabase, causing the keyring to be corrupted and preventing its furtheruse. (CVE-2012-6085)It was found that GnuPG did not properly interpret the key flags in a PGPkey packet. GPG could accept a key for uses not indicated by its holder.(CVE-2013-4351)Red Hat would like to thank Werner Koch for reporting the CVE-2013-4402issue. Upstream acknowledges Taylor R Campbell as the original reporter.All gnupg2 users are advised to upgrade to this updated package, whichcontains backported patches to correct these issues.

Solution(s)

  • redhat-upgrade-gnupg2
  • redhat-upgrade-gnupg2-debuginfo
  • redhat-upgrade-gnupg2-smime

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;