Bug 87130 (CVE-2005-2023)

Summary: VUL-0: CVE-2005-2023: S/Mime signing broken?
Product: [Novell Products] SUSE Security Incidents Reporter: Forgotten User jq9zgB7cRO <forgotten_jq9zgB7cRO>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: ast, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard: CVE-2005-2023: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo-box.gpg2

Description Forgotten User jq9zgB7cRO 2005-06-04 16:48:21 UTC 
S/Mime signing broken on 9.3 
From: 
G Davies <gdavies@anothercrap.com> 
Date: 
Saturday 04 Jun 2005 13:43:39 
Groups: 
novell.support.suse.linux.professional 
no references 
 
This is more of a heads up than a question, after spending most of a day 
trying to get S/Mime signing to work on Suse 9.3 I came across a thread 
(http://lists.gnupg.org/pipermail/gpa-dev/2005-June/002291.html) on the 
gpa-dev mailing list that appears to have pinpointed the problem. 
 
Basically, the gpg2 version Novell/Suse used (1.9.14) had a silly bug in 
it 
that broke things, unfortunately there's no updated package (mainline or 
supplementary) that I know of so you will need to install gpg2 from 
source 
(oh what fun, all those broken dependencies), roll your own RPM, or wait 
for someone else to produce an RPM (PackMan maybe?). 
 
Hope this is useful to someone, I wasted a lot of time before finding 
this. 
 
Gayle
Comment 1 Thomas Biege 2005-06-06 07:36:31 UTC 
reassigned to maintainer.
Comment 2 Klaus Singvogel 2005-06-06 12:17:13 UTC 
That's gpg2! Wrong maintainer chosen, reassigning bug.
Comment 3 Petr Ostadal 2005-06-08 13:08:34 UTC 
fix:

diff -urpP gnupg-1.9.14/common/asshelp.c gnupg-1.9.15/common/asshelp.c
--- gnupg-1.9.14/common/asshelp.c       2004-12-18 09:35:31.000000000 +0000
+++ gnupg-1.9.15/common/asshelp.c       2005-01-03 11:23:48.000000000 +0000
@@ -150,7 +150,7 @@ send_pinentry_environment (assuan_contex
 #endif
   if (opt_lc_messages || (dft_ttyname && dft_lc))
     {
-      err = send_one_option (ctx, errsource, "display",
+      err = send_one_option (ctx, errsource, "lc-messages",
                              opt_lc_messages ? opt_lc_messages : dft_lc);
     }
 #if defined(HAVE_SETLOCALE) && defined(LC_MESSAGES)
Comment 4 Petr Ostadal 2005-06-08 13:18:00 UTC 
Can I make YOU for package gpg2 in SL9.3?
Comment 5 Thomas Biege 2005-06-09 08:18:06 UTC 
SM-Tracker-1499
Comment 6 Thomas Biege 2005-06-09 08:21:25 UTC 
Created attachment 38862 [details]
patchinfo-box.gpg2
Comment 7 Anja Stock 2005-06-09 10:53:23 UTC 
Assigning to postadal@suse.de
Comment 8 Petr Ostadal 2005-06-10 11:43:21 UTC 
fixed and submited with patchinfo.
Comment 9 Marcus Meissner 2005-06-15 08:37:18 UTC 
updated packages for 9.3 approved.
Comment 10 Marcus Meissner 2005-07-08 08:02:03 UTC 
CAN-2005-2023
Comment 11 Thomas Biege 2009-10-13 21:26:20 UTC 
CVE-2005-2023: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)