SB2015042306 - Input validation error in gnupg (Alpine package)
Published: April 23, 2015
Security Bulletin ID
SB2015042306
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2015-1607)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and "memcpy with overlapping ranges."
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=332d853b24780ff51a7b2c31421336c4ba2d849f
- https://git.alpinelinux.org/aports/commit/?id=260ed10e0c65baf73df65d96a63ad1b62b42e91c
- https://git.alpinelinux.org/aports/commit/?id=17a96534e9109383fc8407ca03b82f7344bd960f
- https://git.alpinelinux.org/aports/commit/?id=7991b613b03b2288f7c2521d0630dfdea232ba39