Bug 918089 - (CVE-2015-1606) VUL-1: CVE-2015-1606: gpg2: Invalid memory read using a garbled keyring
(CVE-2015-1606)
VUL-1: CVE-2015-1606: gpg2: Invalid memory read using a garbled keyring
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/113917/
CVSSv2:RedHat:CVE-2015-1606:1.2:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-16 15:02 UTC by Johannes Segitz
Modified: 2016-01-11 13:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
TFPA-2015-01-gnupg-keyring-use-after-free (144 bytes, application/octet-stream)
2015-12-02 07:59 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2015-02-16 23:00:14 UTC
bugbot adjusting priority
Comment 5 Bernhard Wiedemann 2015-11-20 11:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (918089) was mentioned in
https://build.opensuse.org/request/show/345381 13.2+13.1 / gpg2
Comment 6 Swamp Workflow Management 2015-11-30 13:10:28 UTC
openSUSE-SU-2015:2153-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 918089,918090
CVE References: CVE-2015-1606,CVE-2015-1607
Sources used:
openSUSE 13.2 (src):    gpg2-2.0.26-2.3.1
openSUSE 13.1 (src):    gpg2-2.0.22-12.1
Comment 7 Marcus Meissner 2015-12-02 07:59:25 UTC
Created attachment 658029 [details]
TFPA-2015-01-gnupg-keyring-use-after-free

REPRODUCER:

gpg --no-default-keyring --keyring ./TFPA-2015-01-gnupg-keyring-use-after-free   --list-keys
Comment 8 SMASH SMASH 2015-12-02 13:51:37 UTC
An update workflow for this issue was started.

This issue was rated as "low".
Please submit fixed packages until "Dec. 30, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/62365/.
Comment 9 Swamp Workflow Management 2015-12-02 14:01:38 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-12-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62365
Comment 10 Swamp Workflow Management 2015-12-02 16:11:24 UTC
SUSE-SU-2015:2170-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 918089,918090
CVE References: CVE-2015-1606,CVE-2015-1607
Sources used:
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    gpg2-2.0.9-25.33.41.2
SUSE Linux Enterprise Server 11-SP4 (src):    gpg2-2.0.9-25.33.41.2
SUSE Linux Enterprise Server 11-SP3 (src):    gpg2-2.0.9-25.33.41.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    gpg2-2.0.9-25.33.41.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    gpg2-2.0.9-25.33.41.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gpg2-2.0.9-25.33.41.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    gpg2-2.0.9-25.33.41.2
Comment 11 Swamp Workflow Management 2015-12-02 16:11:54 UTC
SUSE-SU-2015:2171-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 918089,918090,952347,955753
CVE References: CVE-2015-1606,CVE-2015-1607
Sources used:
SUSE Linux Enterprise Server 12 (src):    gpg2-2.0.24-3.1
SUSE Linux Enterprise Desktop 12 (src):    gpg2-2.0.24-3.1
Comment 12 Marcus Meissner 2015-12-05 11:31:10 UTC
done
Comment 13 Swamp Workflow Management 2015-12-10 11:11:28 UTC
openSUSE-SU-2015:2241-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 918089,918090,952347,955753
CVE References: CVE-2015-1606,CVE-2015-1607
Sources used:
openSUSE Leap 42.1 (src):    gpg2-2.0.24-5.1
Comment 14 Swamp Workflow Management 2015-12-22 11:10:52 UTC
SUSE-SU-2015:2171-2: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 918089,918090,952347,955753
CVE References: CVE-2015-1606,CVE-2015-1607
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    gpg2-2.0.24-3.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    gpg2-2.0.24-3.2