Bug 1201225 (CVE-2022-34903)

Summary:	VUL-0: CVE-2022-34903: gpg2: vulnerable to status injection
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Hu <cathy.hu>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	Andreas.Stieger, david.anes, pdostal, pmonrealgonzalez, rfrohl, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/336147/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-34903:6.8:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Hu 2022-07-05 13:02:11 UTC

CVE-2022-34903

GnuPG through 2.3.6, in unusual situations where an attacker possesses any
secret-key information from a victim's keyring and other constraints (e.g., use
of GPGME) are met, allows signature forgery via injection into the status line.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34903
https://www.openwall.com/lists/oss-security/2022/06/30/1
https://seclists.org/oss-sec/2022/q3/0
http://www.openwall.com/lists/oss-security/2022/07/02/1
https://www.debian.org/security/2022/dsa-5174
https://bugs.debian.org/1014157
http://www.debian.org/security/-1/dsa-5174
http://www.cvedetails.com/cve/CVE-2022-34903/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34903
https://dev.gnupg.org/T6027
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014157
https://www.cve.org/CVERecord?id=CVE-2022-34903

Comment 1 Hu 2022-07-05 13:03:09 UTC

Affected (fixing patch applies):
- SUSE:SLE-11:Update/gpg2      2.0.9
- SUSE:SLE-12:Update/gpg2      2.0.24
- SUSE:SLE-15-SP3:Update/gpg2  2.2.27
- SUSE:SLE-15:Update/gpg2      2.2.5
- SUSE:Carwos:1/gpg2           2.2.5
- openSUSE:Factory/gpg2        2.3.6

Comment 3 Andreas Stieger 2022-07-15 16:47:36 UTC

Almost two weeks since the issue was up, 10 days a bug, 4 days a release, 3 days a straightforward submission.... is there any way this can be moved along?

Comment 4 Andreas Stieger 2022-07-15 16:54:18 UTC

https://build.opensuse.org/request/show/988764

Comment 6 David Anes 2022-07-18 08:06:30 UTC

(In reply to Andreas Stieger from comment #3)
> Almost two weeks since the issue was up, 10 days a bug, 4 days a release, 3
> days a straightforward submission.... is there any way this can be moved
> along?

Hello Andreas,

Excuse the delay, the maintainer was not available. I made sure the request for Factory was accepted.

Today I also sent fixes for Leap and SLE and they will appear soon in repositories.

Thanks for the reminder.

Comment 7 OBSbugzilla Bot 2022-07-18 08:40:03 UTC

This is an autogenerated message for OBS integration:
This bug (1201225) was mentioned in
https://build.opensuse.org/request/show/989805 Factory / gpg2

Comment 8 Swamp Workflow Management 2022-07-22 16:17:28 UTC

SUSE-SU-2022:2529-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201225
CVE References: CVE-2022-34903
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    gpg2-2.0.24-9.11.1
SUSE OpenStack Cloud 9 (src):    gpg2-2.0.24-9.11.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    gpg2-2.0.24-9.11.1
SUSE Linux Enterprise Server 12-SP5 (src):    gpg2-2.0.24-9.11.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    gpg2-2.0.24-9.11.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    gpg2-2.0.24-9.11.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    gpg2-2.0.24-9.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2022-07-25 16:16:07 UTC

SUSE-SU-2022:2546-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1196125,1201225
CVE References: CVE-2022-34903
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    gpg2-2.2.27-150300.3.5.1
openSUSE Leap 15.3 (src):    gpg2-2.2.27-150300.3.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    gpg2-2.2.27-150300.3.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    gpg2-2.2.27-150300.3.5.1
SUSE Linux Enterprise Micro 5.2 (src):    gpg2-2.2.27-150300.3.5.1
SUSE Linux Enterprise Micro 5.1 (src):    gpg2-2.2.27-150300.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Pedro Monreal Gonzalez 2022-07-26 10:47:15 UTC

All submitted and accepted. Assigning back to security-team.

Comment 14 Swamp Workflow Management 2022-09-01 13:56:11 UTC

openSUSE-SU-2022:2546-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1196125,1201225
CVE References: CVE-2022-34903
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    gpg2-2.2.27-150300.3.5.1

Comment 15 Swamp Workflow Management 2022-09-07 13:33:05 UTC

SUSE-SU-2022:3144-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201225
CVE References: CVE-2022-34903
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    gpg2-2.2.5-150000.4.22.1
SUSE Manager Retail Branch Server 4.1 (src):    gpg2-2.2.5-150000.4.22.1
SUSE Manager Proxy 4.1 (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise Server for SAP 15 (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise Server 15-LTSS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    gpg2-2.2.5-150000.4.22.1
SUSE Enterprise Storage 7 (src):    gpg2-2.2.5-150000.4.22.1
SUSE Enterprise Storage 6 (src):    gpg2-2.2.5-150000.4.22.1
SUSE CaaS Platform 4.0 (src):    gpg2-2.2.5-150000.4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Hu 2022-12-20 11:19:28 UTC

done