GnuPG: Denial of service — GLSA 201407-04

A vulnerability in GnuPG can lead to a Denial of Service condition.

Affected packages

app-crypt/gnupg on all architectures
Affected versions < 2.0.24
Unaffected versions >= 2.0.24
revision >= 1.4.17
revision >= 1.4.18
revision >= 1.4.19
revision >= 1.4.20
revision >= 1.4.21

Background

The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software.

Description

GnuPG does not properly handle a specially crated compressed packet resulting in an infinite loop.

Impact

A context-dependent attacker can cause a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All GnuPG 2.0 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.24"
 

All GnuPG 1.4 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.17"
 

References

Release date
July 16, 2014

Latest revision
July 16, 2014: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries