Scientific Linux alert SLSA-2013:1459-1 (gnupg2)

From:
    	     
 
Pat Riehecky <riehecky@fnal.gov> 
To:
    	     
 
<scientific-linux-errata@listserv.fnal.gov> 
Subject:
    	     
 
Security ERRATA Moderate: gnupg2 on SL5.x, SL6.x i386/x86_64 
Date:
    	     
 
Thu, 24 Oct 2013 16:49:52 +0000
Message-ID:
    	     
 
<20131024164952.28323.27498@slpackages.fnal.gov>

Synopsis:          Moderate: gnupg2 security update
Advisory ID:       SLSA-2013:1459-1
Issue Date:        2013-10-24
CVE Numbers:       CVE-2012-6085
                   CVE-2013-4351
                   CVE-2013-4402
--

A denial of service flaw was found in the way GnuPG parsed certain
compressed OpenPGP packets. An attacker could use this flaw to send
specially crafted input data to GnuPG, making GnuPG enter an infinite loop
when parsing data. (CVE-2013-4402)

It was found that importing a corrupted public key into a GnuPG keyring
database corrupted that keyring. An attacker could use this flaw to trick
a local user into importing a specially crafted public key into their
keyring database, causing the keyring to be corrupted and preventing its
further use. (CVE-2012-6085)

It was found that GnuPG did not properly interpret the key flags in a PGP
key packet. GPG could accept a key for uses not indicated by its holder.
(CVE-2013-4351)
--

SL5
  x86_64
    gnupg2-2.0.10-6.el5_10.x86_64.rpm
    gnupg2-debuginfo-2.0.10-6.el5_10.x86_64.rpm
  i386
    gnupg2-2.0.10-6.el5_10.i386.rpm
    gnupg2-debuginfo-2.0.10-6.el5_10.i386.rpm
SL6
  x86_64
    gnupg2-2.0.14-6.el6_4.x86_64.rpm
    gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm
    gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm
  i386
    gnupg2-2.0.14-6.el6_4.i686.rpm
    gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm
    gnupg2-smime-2.0.14-6.el6_4.i686.rpm

- Scientific Linux Development Team