Bugzilla – Bug 1201225
VUL-0: CVE-2022-34903: gpg2: vulnerable to status injection
Last modified: 2022-12-20 11:19:28 UTC
CVE-2022-34903 GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34903 https://www.openwall.com/lists/oss-security/2022/06/30/1 https://seclists.org/oss-sec/2022/q3/0 http://www.openwall.com/lists/oss-security/2022/07/02/1 https://www.debian.org/security/2022/dsa-5174 https://bugs.debian.org/1014157 http://www.debian.org/security/-1/dsa-5174 http://www.cvedetails.com/cve/CVE-2022-34903/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34903 https://dev.gnupg.org/T6027 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014157 https://www.cve.org/CVERecord?id=CVE-2022-34903
Affected (fixing patch applies): - SUSE:SLE-11:Update/gpg2 2.0.9 - SUSE:SLE-12:Update/gpg2 2.0.24 - SUSE:SLE-15-SP3:Update/gpg2 2.2.27 - SUSE:SLE-15:Update/gpg2 2.2.5 - SUSE:Carwos:1/gpg2 2.2.5 - openSUSE:Factory/gpg2 2.3.6
Almost two weeks since the issue was up, 10 days a bug, 4 days a release, 3 days a straightforward submission.... is there any way this can be moved along?
https://build.opensuse.org/request/show/988764
(In reply to Andreas Stieger from comment #3) > Almost two weeks since the issue was up, 10 days a bug, 4 days a release, 3 > days a straightforward submission.... is there any way this can be moved > along? Hello Andreas, Excuse the delay, the maintainer was not available. I made sure the request for Factory was accepted. Today I also sent fixes for Leap and SLE and they will appear soon in repositories. Thanks for the reminder.
This is an autogenerated message for OBS integration: This bug (1201225) was mentioned in https://build.opensuse.org/request/show/989805 Factory / gpg2
SUSE-SU-2022:2529-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1201225 CVE References: CVE-2022-34903 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): gpg2-2.0.24-9.11.1 SUSE OpenStack Cloud 9 (src): gpg2-2.0.24-9.11.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): gpg2-2.0.24-9.11.1 SUSE Linux Enterprise Server 12-SP5 (src): gpg2-2.0.24-9.11.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): gpg2-2.0.24-9.11.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): gpg2-2.0.24-9.11.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): gpg2-2.0.24-9.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2546-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1196125,1201225 CVE References: CVE-2022-34903 JIRA References: Sources used: openSUSE Leap 15.4 (src): gpg2-2.2.27-150300.3.5.1 openSUSE Leap 15.3 (src): gpg2-2.2.27-150300.3.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): gpg2-2.2.27-150300.3.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): gpg2-2.2.27-150300.3.5.1 SUSE Linux Enterprise Micro 5.2 (src): gpg2-2.2.27-150300.3.5.1 SUSE Linux Enterprise Micro 5.1 (src): gpg2-2.2.27-150300.3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All submitted and accepted. Assigning back to security-team.
openSUSE-SU-2022:2546-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1196125,1201225 CVE References: CVE-2022-34903 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): gpg2-2.2.27-150300.3.5.1
SUSE-SU-2022:3144-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1201225 CVE References: CVE-2022-34903 JIRA References: Sources used: SUSE Manager Server 4.1 (src): gpg2-2.2.5-150000.4.22.1 SUSE Manager Retail Branch Server 4.1 (src): gpg2-2.2.5-150000.4.22.1 SUSE Manager Proxy 4.1 (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise Server for SAP 15 (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise Server 15-LTSS (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): gpg2-2.2.5-150000.4.22.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): gpg2-2.2.5-150000.4.22.1 SUSE Enterprise Storage 7 (src): gpg2-2.2.5-150000.4.22.1 SUSE Enterprise Storage 6 (src): gpg2-2.2.5-150000.4.22.1 SUSE CaaS Platform 4.0 (src): gpg2-2.2.5-150000.4.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done