Bug 798465 – VUL-1: CVE-2012-6085: gnupg: potential database corruption

Bug 798465 - (CVE-2012-6085) VUL-1: CVE-2012-6085: gnupg: potential database corruption

(CVE-2012-6085)
Summary:	VUL-1: CVE-2012-6085: gnupg: potential database corruption

Status:	RESOLVED FIXED
Duplicates:	876581 880249 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:52510 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-01-15 08:50 UTC by Matthias Weckbecker
Modified:	2018-10-19 18:21 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Weckbecker 2013-01-15 08:50:43 UTC

A report at Red Hat [1] from 2013-01-01 describes an issue with GnuPG that can
cause the public key db to end up being corrupted / cause a memory corruption.

Original issue reported upstream [2].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=891142
(example + patches included)
[2] https://bugs.g10code.com/gnupg/issue1455

Comment 1 Swamp Workflow Management 2013-05-08 00:46:40 UTC

The SWAMPID for this issue is 52394.
This issue was rated as low.
Please submit fixed packages until 2013-06-05.
Also create a patchinfo file using this link:
https://swamp.suse.de/webswamp/wf/52394

Comment 2 Leonardo Chiquitto 2013-05-09 18:17:55 UTC

Update started. Please submit to 11-SP2 and 10-SP4.

Comment 6 Vítězslav Čížek 2013-05-14 14:23:04 UTC

Do we need updates for any other distribution?
Or is my work here done and I can reassign this bug back to security-team?

Comment 7 Matthias Weckbecker 2013-05-15 08:40:10 UTC

Security wants always wants to fix all affected products. Thank you.

Comment 8 Vítězslav Čížek 2013-05-15 15:39:16 UTC

openSUSE packages submitted.

Comment 10 Bernhard Wiedemann 2013-05-15 16:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (798465) was mentioned in
https://build.opensuse.org/request/show/175760 Maintenance /

Comment 11 Bernhard Wiedemann 2013-05-27 07:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (798465) was mentioned in
https://build.opensuse.org/request/show/176623 Maintenance /

Comment 12 Swamp Workflow Management 2013-05-31 16:04:29 UTC

openSUSE-SU-2013:0849-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 780943,798465
CVE References: CVE-2012-6085
Sources used:
openSUSE 12.2 (src):    gpg2-2.0.19-2.4.1
openSUSE 12.1 (src):    gpg2-2.0.18-7.4.1

Comment 13 Bernhard Wiedemann 2013-06-02 21:00:16 UTC

This is an autogenerated message for OBS integration:
This bug (798465) was mentioned in
https://build.opensuse.org/request/show/177209 Evergreen:11.2 / gpg2

Comment 14 Swamp Workflow Management 2013-06-10 09:09:08 UTC

openSUSE-SU-2013:0880-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 780943,798465
CVE References: CVE-2012-6085
Sources used:
openSUSE 12.3 (src):    gpg2-2.0.19-5.4.1

Comment 15 Swamp Workflow Management 2013-06-10 10:20:03 UTC

openSUSE-SU-2013:0957-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 780943,798465
CVE References: CVE-2012-6085
Sources used:
openSUSE 11.4 (src):    gpg2-2.0.16-10.1

Comment 16 Swamp Workflow Management 2013-06-20 09:50:12 UTC

Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 17 Swamp Workflow Management 2013-06-20 10:04:27 UTC

Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 18 Swamp Workflow Management 2013-06-20 10:05:20 UTC

Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 19 Swamp Workflow Management 2013-06-20 11:04:37 UTC

Update released for: gpg2, gpg2-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 20 Swamp Workflow Management 2013-06-20 11:47:50 UTC

Update released for: gpg, gpg-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 21 Swamp Workflow Management 2013-06-20 11:52:04 UTC

Update released for: gpg2, gpg2-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 23 Sebastian Krahmer 2013-07-03 11:22:53 UTC

released

Comment 24 Swamp Workflow Management 2013-07-03 14:00:12 UTC

Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 25 Swamp Workflow Management 2013-10-25 15:46:44 UTC

Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)

Comment 26 Swamp Workflow Management 2013-10-25 15:47:58 UTC

Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)

Comment 27 Swamp Workflow Management 2014-04-11 15:30:02 UTC

The SWAMPID for this issue is 57003.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 28 Swamp Workflow Management 2014-06-03 19:47:08 UTC

Update released for: gpg2, gpg2-debuginfo, gpg2-debugsource, gpg2-lang
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)

Comment 29 Swamp Workflow Management 2014-06-03 23:04:57 UTC

SUSE-SU-2014:0750-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 778723,780943,798465,808958,840510,844175
CVE References: 
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    gpg2-2.0.9-25.33.37.6

Comment 30 Marcus Meissner 2014-06-10 13:42:23 UTC

*** Bug 880249 has been marked as a duplicate of this bug. ***

Comment 31 Leonardo Chiquitto 2014-06-11 12:42:44 UTC

*** Bug 876581 has been marked as a duplicate of this bug. ***