Skip to navigation

Security Advisory Moderate: gnupg2 security update

Advisory: RHSA-2010:0603-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-08-04
Last updated on: 2010-08-04
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2010-2547

Details

An updated gnupg2 package that fixes one security issue is now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and
creating digital signatures, compliant with the proposed OpenPGP Internet
standard and the S/MIME standard.

A use-after-free flaw was found in the way gpgsm, a Cryptographic Message
Syntax (CMS) encryption and signing tool, handled X.509 certificates with
a large number of Subject Alternate Names. A specially-crafted X.509
certificate could, when imported, cause gpgsm to crash or, possibly,
execute arbitrary code. (CVE-2010-2547)

All gnupg2 users should upgrade to this updated package, which contains a
backported patch to correct this issue.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
gnupg2-2.0.10-3.el5_5.1.src.rpm
File outdated by:  RHSA-2013:1459
    MD5: c6bb1f3593d76237b1eabbc1572a8afc
SHA-256: a612cf391982ba66cbaccd4a226f23327afc0c4099e7d5470879ddec0d0199f0
 
IA-32:
gnupg2-2.0.10-3.el5_5.1.i386.rpm
File outdated by:  RHSA-2013:1459
    MD5: 68b9c3a7d402993877dc5a8ac6e42bce
SHA-256: 1c19c285082fafcd2a1892dcab76122d626f49692352aa0448f1c0a746bece73
 
IA-64:
gnupg2-2.0.10-3.el5_5.1.ia64.rpm
File outdated by:  RHSA-2013:1459
    MD5: 554f3a3f6c92c47a4b452afaaf1877ea
SHA-256: 45cc03a83989cb34b1bec08052352a53a61a6dbb7b448e86a9e547a3923e6f81
 
PPC:
gnupg2-2.0.10-3.el5_5.1.ppc.rpm
File outdated by:  RHSA-2013:1459
    MD5: 3a6c26421b4fdcff3806ff297be279ba
SHA-256: f4e564466a6d1cd27278e11fd1c85212b03048f377b73d1d353b47acb078d5d0
 
s390x:
gnupg2-2.0.10-3.el5_5.1.s390x.rpm
File outdated by:  RHSA-2013:1459
    MD5: 0db5c6136bcf3db9aa20243183a5bb99
SHA-256: 6ab472642f96bcce879c4e0a54a6ccca6a0d1f274b359e051546a1245a50c52c
 
x86_64:
gnupg2-2.0.10-3.el5_5.1.x86_64.rpm
File outdated by:  RHSA-2013:1459
    MD5: ff48b922be782f829f5092b4e48fd739
SHA-256: de63905e286914a43cfed8ec6ddabef7d261396e0bc744f1bfdb6eefbe258bfb
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
gnupg2-2.0.10-3.el5_5.1.src.rpm
File outdated by:  RHSA-2013:1459
    MD5: c6bb1f3593d76237b1eabbc1572a8afc
SHA-256: a612cf391982ba66cbaccd4a226f23327afc0c4099e7d5470879ddec0d0199f0
 
IA-32:
gnupg2-2.0.10-3.el5_5.1.i386.rpm
File outdated by:  RHSA-2013:1459
    MD5: 68b9c3a7d402993877dc5a8ac6e42bce
SHA-256: 1c19c285082fafcd2a1892dcab76122d626f49692352aa0448f1c0a746bece73
 
x86_64:
gnupg2-2.0.10-3.el5_5.1.x86_64.rpm
File outdated by:  RHSA-2013:1459
    MD5: ff48b922be782f829f5092b4e48fd739
SHA-256: de63905e286914a43cfed8ec6ddabef7d261396e0bc744f1bfdb6eefbe258bfb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

618156 - CVE-2010-2547 GnuPG 2: use-after-free when importing certificate with many alternate names


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/