Skip to navigation

Security Advisory Moderate: gnupg2 security update

Advisory: RHSA-2013:1459-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-10-24
Last updated on: 2013-10-24
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.4)
Red Hat Enterprise Linux Server EUS (v. 6.4.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2012-6085
CVE-2013-4351
CVE-2013-4402

Details

An updated gnupg2 package that fixes three security issues is now available
for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and
creating digital signatures, compliant with the proposed OpenPGP Internet
standard and the S/MIME standard.

A denial of service flaw was found in the way GnuPG parsed certain
compressed OpenPGP packets. An attacker could use this flaw to send
specially crafted input data to GnuPG, making GnuPG enter an infinite loop
when parsing data. (CVE-2013-4402)

It was found that importing a corrupted public key into a GnuPG keyring
database corrupted that keyring. An attacker could use this flaw to trick a
local user into importing a specially crafted public key into their keyring
database, causing the keyring to be corrupted and preventing its further
use. (CVE-2012-6085)

It was found that GnuPG did not properly interpret the key flags in a PGP
key packet. GPG could accept a key for uses not indicated by its holder.
(CVE-2013-4351)

Red Hat would like to thank Werner Koch for reporting the CVE-2013-4402
issue. Upstream acknowledges Taylor R Campbell as the original reporter.

All gnupg2 users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
gnupg2-2.0.10-6.el5_10.src.rpm     MD5: 9b704db3c09997128a42f01e33b93cca
SHA-256: f64b7348557b42c5e72cdf62cdb654469f235e13371de7072526353e9eff9524
 
IA-32:
gnupg2-2.0.10-6.el5_10.i386.rpm     MD5: 2597bad6cda6d60348d63ff5cdcbcb9c
SHA-256: 14756b1c562d896f76ee91c583f5e485f6d8a6e8b46d17d3154bcd0245560cc1
gnupg2-debuginfo-2.0.10-6.el5_10.i386.rpm     MD5: e464d38967bb41d7ef9bc5ab7ddc411a
SHA-256: ddb6268730879c8b6e4340c34d49762ac148d8d5f9fb0fdacb2f67b5a2396bf3
 
IA-64:
gnupg2-2.0.10-6.el5_10.ia64.rpm     MD5: 2619fef2ffc7103342dcd0d2a4c00e5b
SHA-256: 716c61f033f463c4e5c3775be8e77d523d58ef62f2bd07f3d19b6f1f2612da8e
gnupg2-debuginfo-2.0.10-6.el5_10.ia64.rpm     MD5: b25123a4a206ea3a1f84c72a6e084de7
SHA-256: 8fa70c8c2c6ebcaf297e080e2349a5134c014d621dd9eeb58500820e12afea76
 
PPC:
gnupg2-2.0.10-6.el5_10.ppc.rpm     MD5: 86f87c8ae3064d80f3b5dfa6187ba0a3
SHA-256: 434fccdcdb154ccf453c3f0943fa4bb6b9f8035720fff793602b4aff2d147d2d
gnupg2-debuginfo-2.0.10-6.el5_10.ppc.rpm     MD5: b060c8be4a874949ea94b4a9921e9f38
SHA-256: 1b29160b181b7e417b87a1a91d420d133e2d363b81785ac593f1abae536edf1c
 
s390x:
gnupg2-2.0.10-6.el5_10.s390x.rpm     MD5: 4285d6c60dc8b77816f41fb1165878e1
SHA-256: ed7d72719cb2ec3f0db5cdab874b7f4951840c0ddbb89e22639ee47f5ebf19b7
gnupg2-debuginfo-2.0.10-6.el5_10.s390x.rpm     MD5: 67e94e997e3cd12fe9d41df84895378d
SHA-256: 24accffdab4e77eff3ecc521a8829ee5f5391849daf9418744f9ce7e087b6b97
 
x86_64:
gnupg2-2.0.10-6.el5_10.x86_64.rpm     MD5: b57dfdf50b9ccec2e08ad997e00dec9d
SHA-256: d66ac04ac476ef2359a785002514cec6d48990bca28fa8b96fd0e05b71fee3b6
gnupg2-debuginfo-2.0.10-6.el5_10.x86_64.rpm     MD5: 676b8e46549c1864ebaab8560013e6de
SHA-256: 02cfa29d15bbe87066b9008da9a6926c7946d164b70cf19748f05769d37481cf
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
gnupg2-2.0.10-6.el5_10.src.rpm     MD5: 9b704db3c09997128a42f01e33b93cca
SHA-256: f64b7348557b42c5e72cdf62cdb654469f235e13371de7072526353e9eff9524
 
IA-32:
gnupg2-2.0.10-6.el5_10.i386.rpm     MD5: 2597bad6cda6d60348d63ff5cdcbcb9c
SHA-256: 14756b1c562d896f76ee91c583f5e485f6d8a6e8b46d17d3154bcd0245560cc1
gnupg2-debuginfo-2.0.10-6.el5_10.i386.rpm     MD5: e464d38967bb41d7ef9bc5ab7ddc411a
SHA-256: ddb6268730879c8b6e4340c34d49762ac148d8d5f9fb0fdacb2f67b5a2396bf3
 
x86_64:
gnupg2-2.0.10-6.el5_10.x86_64.rpm     MD5: b57dfdf50b9ccec2e08ad997e00dec9d
SHA-256: d66ac04ac476ef2359a785002514cec6d48990bca28fa8b96fd0e05b71fee3b6
gnupg2-debuginfo-2.0.10-6.el5_10.x86_64.rpm     MD5: 676b8e46549c1864ebaab8560013e6de
SHA-256: 02cfa29d15bbe87066b9008da9a6926c7946d164b70cf19748f05769d37481cf
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
gnupg2-2.0.14-6.el6_4.src.rpm     MD5: 90f33a721cce4a260f18a2c5de2804c3
SHA-256: 5ad258454e54071bc4145a31c651073bf90f17b7b92cd64ca7b763b17c9af820
 
IA-32:
gnupg2-2.0.14-6.el6_4.i686.rpm     MD5: 6ee803c5d2598a8cdbf28d1e1a839a25
SHA-256: 4128570b2114a599db43e394c0de0aff09096217821d43be4237645da179bd54
gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm     MD5: 9cf2855c7e37a3833440803a06212051
SHA-256: 7fbc37f365137ea9cef9bbfd86a2b84eeb63520130a73d69721221d0e0b485b9
gnupg2-smime-2.0.14-6.el6_4.i686.rpm     MD5: 7cc6d9062aca353089bf3173ef70c473
SHA-256: 34e84ca03e1ec0d5635de9a0760a8ca22f716fb69ad186411f870f7cb1c25229
 
x86_64:
gnupg2-2.0.14-6.el6_4.x86_64.rpm     MD5: da9ced79106b9fae37c3fc3e53a3e2ae
SHA-256: 5ea1a1d3ab654f69e618126c79123a6f9b91a9e0274d8ea137e4db6405d03f66
gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm     MD5: 91cde9cafdd6899be2816981cee9293a
SHA-256: d58a627a0f6d793c450a010299ab0947fce6b291849ee51a3e731c1ad0789818
gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm     MD5: 98237937dd2becc935f02a885c435b60
SHA-256: fde9a812b641592e2be6df138e2814ab14a53c09d970cb2247b0c5f3cf96beb1
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
gnupg2-2.0.14-6.el6_4.src.rpm     MD5: 90f33a721cce4a260f18a2c5de2804c3
SHA-256: 5ad258454e54071bc4145a31c651073bf90f17b7b92cd64ca7b763b17c9af820
 
x86_64:
gnupg2-2.0.14-6.el6_4.x86_64.rpm     MD5: da9ced79106b9fae37c3fc3e53a3e2ae
SHA-256: 5ea1a1d3ab654f69e618126c79123a6f9b91a9e0274d8ea137e4db6405d03f66
gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm     MD5: 91cde9cafdd6899be2816981cee9293a
SHA-256: d58a627a0f6d793c450a010299ab0947fce6b291849ee51a3e731c1ad0789818
gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm     MD5: 98237937dd2becc935f02a885c435b60
SHA-256: fde9a812b641592e2be6df138e2814ab14a53c09d970cb2247b0c5f3cf96beb1
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
gnupg2-2.0.14-6.el6_4.src.rpm     MD5: 90f33a721cce4a260f18a2c5de2804c3
SHA-256: 5ad258454e54071bc4145a31c651073bf90f17b7b92cd64ca7b763b17c9af820
 
IA-32:
gnupg2-2.0.14-6.el6_4.i686.rpm     MD5: 6ee803c5d2598a8cdbf28d1e1a839a25
SHA-256: 4128570b2114a599db43e394c0de0aff09096217821d43be4237645da179bd54
gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm     MD5: 9cf2855c7e37a3833440803a06212051
SHA-256: 7fbc37f365137ea9cef9bbfd86a2b84eeb63520130a73d69721221d0e0b485b9
gnupg2-smime-2.0.14-6.el6_4.i686.rpm     MD5: 7cc6d9062aca353089bf3173ef70c473
SHA-256: 34e84ca03e1ec0d5635de9a0760a8ca22f716fb69ad186411f870f7cb1c25229
 
PPC:
gnupg2-2.0.14-6.el6_4.ppc64.rpm     MD5: b3159150ffb195d0dea6890d44a7b622
SHA-256: 017d6e5daadca06c35978bcce0c07adc37ae0a890a697d3cab3a3418d6fea061
gnupg2-debuginfo-2.0.14-6.el6_4.ppc64.rpm     MD5: 96dd90afcafddd967288651a3baa907f
SHA-256: b4a790804e858351e85095f9b757005247376754511cff6f83e07a44f0daa3a8
gnupg2-smime-2.0.14-6.el6_4.ppc64.rpm     MD5: a57d5890f4de280cd6a994ccce603f44
SHA-256: 020711db6dbfb7ccd6ff14057dfb414e8cf4f662b2786f9a14ecc39a3e6a59aa
 
s390x:
gnupg2-2.0.14-6.el6_4.s390x.rpm     MD5: 9ccd19fb1ad9ee9f904438e477b109d6
SHA-256: b5fec01c808e7701970a69a4937d339c79a408dd0b3dfe3f93881f9b82fe1aa2
gnupg2-debuginfo-2.0.14-6.el6_4.s390x.rpm     MD5: 8c194b431a95114c77605cc30c7edfbf
SHA-256: 0ff14669c0e3edbf3abc98fb6d6453405ef70afa031272614523f5fec7ef52b3
gnupg2-smime-2.0.14-6.el6_4.s390x.rpm     MD5: c325b09ef440c3ab54e61b6db5d38aaa
SHA-256: 05b13370b350acf717f52e95634e96a37d69652c29d37af30dc9bbeaed96a1ae
 
x86_64:
gnupg2-2.0.14-6.el6_4.x86_64.rpm     MD5: da9ced79106b9fae37c3fc3e53a3e2ae
SHA-256: 5ea1a1d3ab654f69e618126c79123a6f9b91a9e0274d8ea137e4db6405d03f66
gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm     MD5: 91cde9cafdd6899be2816981cee9293a
SHA-256: d58a627a0f6d793c450a010299ab0947fce6b291849ee51a3e731c1ad0789818
gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm     MD5: 98237937dd2becc935f02a885c435b60
SHA-256: fde9a812b641592e2be6df138e2814ab14a53c09d970cb2247b0c5f3cf96beb1
 
Red Hat Enterprise Linux Server AUS (v. 6.4)

SRPMS:
gnupg2-2.0.14-6.el6_4.src.rpm     MD5: 90f33a721cce4a260f18a2c5de2804c3
SHA-256: 5ad258454e54071bc4145a31c651073bf90f17b7b92cd64ca7b763b17c9af820
 
x86_64:
gnupg2-2.0.14-6.el6_4.x86_64.rpm     MD5: da9ced79106b9fae37c3fc3e53a3e2ae
SHA-256: 5ea1a1d3ab654f69e618126c79123a6f9b91a9e0274d8ea137e4db6405d03f66
gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm     MD5: 91cde9cafdd6899be2816981cee9293a
SHA-256: d58a627a0f6d793c450a010299ab0947fce6b291849ee51a3e731c1ad0789818
gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm     MD5: 98237937dd2becc935f02a885c435b60
SHA-256: fde9a812b641592e2be6df138e2814ab14a53c09d970cb2247b0c5f3cf96beb1
 
Red Hat Enterprise Linux Server EUS (v. 6.4.z)

SRPMS:
gnupg2-2.0.14-6.el6_4.src.rpm     MD5: 90f33a721cce4a260f18a2c5de2804c3
SHA-256: 5ad258454e54071bc4145a31c651073bf90f17b7b92cd64ca7b763b17c9af820
 
IA-32:
gnupg2-2.0.14-6.el6_4.i686.rpm     MD5: 6ee803c5d2598a8cdbf28d1e1a839a25
SHA-256: 4128570b2114a599db43e394c0de0aff09096217821d43be4237645da179bd54
gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm     MD5: 9cf2855c7e37a3833440803a06212051
SHA-256: 7fbc37f365137ea9cef9bbfd86a2b84eeb63520130a73d69721221d0e0b485b9
gnupg2-smime-2.0.14-6.el6_4.i686.rpm     MD5: 7cc6d9062aca353089bf3173ef70c473
SHA-256: 34e84ca03e1ec0d5635de9a0760a8ca22f716fb69ad186411f870f7cb1c25229
 
PPC:
gnupg2-2.0.14-6.el6_4.ppc64.rpm     MD5: b3159150ffb195d0dea6890d44a7b622
SHA-256: 017d6e5daadca06c35978bcce0c07adc37ae0a890a697d3cab3a3418d6fea061
gnupg2-debuginfo-2.0.14-6.el6_4.ppc64.rpm     MD5: 96dd90afcafddd967288651a3baa907f
SHA-256: b4a790804e858351e85095f9b757005247376754511cff6f83e07a44f0daa3a8
gnupg2-smime-2.0.14-6.el6_4.ppc64.rpm     MD5: a57d5890f4de280cd6a994ccce603f44
SHA-256: 020711db6dbfb7ccd6ff14057dfb414e8cf4f662b2786f9a14ecc39a3e6a59aa
 
s390x:
gnupg2-2.0.14-6.el6_4.s390x.rpm     MD5: 9ccd19fb1ad9ee9f904438e477b109d6
SHA-256: b5fec01c808e7701970a69a4937d339c79a408dd0b3dfe3f93881f9b82fe1aa2
gnupg2-debuginfo-2.0.14-6.el6_4.s390x.rpm     MD5: 8c194b431a95114c77605cc30c7edfbf
SHA-256: 0ff14669c0e3edbf3abc98fb6d6453405ef70afa031272614523f5fec7ef52b3
gnupg2-smime-2.0.14-6.el6_4.s390x.rpm     MD5: c325b09ef440c3ab54e61b6db5d38aaa
SHA-256: 05b13370b350acf717f52e95634e96a37d69652c29d37af30dc9bbeaed96a1ae
 
x86_64:
gnupg2-2.0.14-6.el6_4.x86_64.rpm     MD5: da9ced79106b9fae37c3fc3e53a3e2ae
SHA-256: 5ea1a1d3ab654f69e618126c79123a6f9b91a9e0274d8ea137e4db6405d03f66
gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm     MD5: 91cde9cafdd6899be2816981cee9293a
SHA-256: d58a627a0f6d793c450a010299ab0947fce6b291849ee51a3e731c1ad0789818
gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm     MD5: 98237937dd2becc935f02a885c435b60
SHA-256: fde9a812b641592e2be6df138e2814ab14a53c09d970cb2247b0c5f3cf96beb1
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
gnupg2-2.0.14-6.el6_4.src.rpm     MD5: 90f33a721cce4a260f18a2c5de2804c3
SHA-256: 5ad258454e54071bc4145a31c651073bf90f17b7b92cd64ca7b763b17c9af820
 
IA-32:
gnupg2-2.0.14-6.el6_4.i686.rpm     MD5: 6ee803c5d2598a8cdbf28d1e1a839a25
SHA-256: 4128570b2114a599db43e394c0de0aff09096217821d43be4237645da179bd54
gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm     MD5: 9cf2855c7e37a3833440803a06212051
SHA-256: 7fbc37f365137ea9cef9bbfd86a2b84eeb63520130a73d69721221d0e0b485b9
gnupg2-smime-2.0.14-6.el6_4.i686.rpm     MD5: 7cc6d9062aca353089bf3173ef70c473
SHA-256: 34e84ca03e1ec0d5635de9a0760a8ca22f716fb69ad186411f870f7cb1c25229
 
x86_64:
gnupg2-2.0.14-6.el6_4.x86_64.rpm     MD5: da9ced79106b9fae37c3fc3e53a3e2ae
SHA-256: 5ea1a1d3ab654f69e618126c79123a6f9b91a9e0274d8ea137e4db6405d03f66
gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm     MD5: 91cde9cafdd6899be2816981cee9293a
SHA-256: d58a627a0f6d793c450a010299ab0947fce6b291849ee51a3e731c1ad0789818
gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm     MD5: 98237937dd2becc935f02a885c435b60
SHA-256: fde9a812b641592e2be6df138e2814ab14a53c09d970cb2247b0c5f3cf96beb1
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1010137 - CVE-2013-4351 gnupg: treats no-usage-permitted keys as all-usages-permitted
1015685 - CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser DoS
891142 - CVE-2012-6085 GnuPG: read_block() corrupt key input validation


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/