[USN-970-1] GnuPG2 vulnerability

Marc Deslauriers marc.deslauriers at canonical.com
Wed Aug 11 17:47:14 UTC 2010


===========================================================
Ubuntu Security Notice USN-970-1            August 11, 2010
gnupg2 vulnerability
CVE-2010-2547
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  gpgsm                           2.0.7-1ubuntu0.1

Ubuntu 9.04:
  gpgsm                           2.0.9-3.1ubuntu0.1

Ubuntu 9.10:
  gpgsm                           2.0.12-0ubuntu2.1

Ubuntu 10.04 LTS:
  gpgsm                           2.0.14-1ubuntu1.2

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that GPGSM in GnuPG2 did not correctly handle
certificates with a large number of Subject Alternate Names. If a user or
automated system were tricked into processing a specially crafted
certificate, an attacker could cause a denial of service or execute
arbitrary code with privileges of the user invoking the program.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.7-1ubuntu0.1.diff.gz
      Size/MD5:    38357 9f9b19967950818429e79181c0a8e009
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.7-1ubuntu0.1.dsc
      Size/MD5:     1049 959706cf178e4f2284f9514ad2195813
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.7.orig.tar.gz
      Size/MD5:  5035162 edac843901373c9a3bb33c5c134a60c9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg-agent_2.0.7-1ubuntu0.1_amd64.deb
      Size/MD5:   285546 481108f98f893d984b2bbbee47ea6e42
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gpgsm_2.0.7-1ubuntu0.1_amd64.deb
      Size/MD5:   441412 acc2db528cf2719e6566accae9d289bf
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg2_2.0.7-1ubuntu0.1_amd64.deb
      Size/MD5:  1140788 48b83a17ef51b15c9a002101d935e6a9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg-agent_2.0.7-1ubuntu0.1_i386.deb
      Size/MD5:   258500 c22829f163ac0f7aac143e050ea85169
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gpgsm_2.0.7-1ubuntu0.1_i386.deb
      Size/MD5:   404416 537aaf300aefd33bf210fc031391d1b6
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gnupg2_2.0.7-1ubuntu0.1_i386.deb
      Size/MD5:  1076900 48e8b3be56b1f4bb4adc757d90c57ee5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.7-1ubuntu0.1_lpia.deb
      Size/MD5:   258120 44b69a516104e6ec001e7d3f4a7ba6f7
    http://ports.ubuntu.com/pool/main/g/gnupg2/gpgsm_2.0.7-1ubuntu0.1_lpia.deb
      Size/MD5:   404568 b39494268d8404271e34e4666892e2d3
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gnupg2_2.0.7-1ubuntu0.1_lpia.deb
      Size/MD5:  1079478 2a78aa1f9261e69477449f660ae0d747

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.7-1ubuntu0.1_powerpc.deb
      Size/MD5:   292912 d727881145b5086fd96cf548c2123cbf
    http://ports.ubuntu.com/pool/main/g/gnupg2/gpgsm_2.0.7-1ubuntu0.1_powerpc.deb
      Size/MD5:   444646 cea2f618e615e9ff26fb69d3bd1f24fd
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gnupg2_2.0.7-1ubuntu0.1_powerpc.deb
      Size/MD5:  1156208 7dfa97127ae3281819dc270729cc6aa9

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.7-1ubuntu0.1_sparc.deb
      Size/MD5:   256654 b09ba94083d721ad93f173ecd9d3126b
    http://ports.ubuntu.com/pool/main/g/gnupg2/gpgsm_2.0.7-1ubuntu0.1_sparc.deb
      Size/MD5:   398312 797ac0ee6888972787680368102c6aa8
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gnupg2_2.0.7-1ubuntu0.1_sparc.deb
      Size/MD5:  1073772 f7f2db367693c941ae7017a538b4d736

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.9-3.1ubuntu0.1.diff.gz
      Size/MD5:    40713 f7056736ec90ad76e433ee893b4dbd97
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.9-3.1ubuntu0.1.dsc
      Size/MD5:     1483 37594fcfbe809d40002ee10cbea09c3e
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.9.orig.tar.gz
      Size/MD5:  5198703 3b6b1742509f396d51528e0cd4c76a13

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg-agent_2.0.9-3.1ubuntu0.1_amd64.deb
      Size/MD5:   318512 4ff8b15741e71ca1e3c638363b84aeae
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.9-3.1ubuntu0.1_amd64.deb
      Size/MD5:  1234036 9e4b30bb8d89098395eed5e9b513bbc4
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gpgsm_2.0.9-3.1ubuntu0.1_amd64.deb
      Size/MD5:   465838 5435b39d54406c4343580fb2f809fc5d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg-agent_2.0.9-3.1ubuntu0.1_i386.deb
      Size/MD5:   289274 c428747d01cd120b40a3dedd44c31f16
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.9-3.1ubuntu0.1_i386.deb
      Size/MD5:  1169762 ac02e769b48cd2893ece7eac3255d690
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gpgsm_2.0.9-3.1ubuntu0.1_i386.deb
      Size/MD5:   428896 c64a8863384d1dc158235715f406e6a5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.9-3.1ubuntu0.1_lpia.deb
      Size/MD5:   287360 2d3766c5c6e202814dba2d8112b81356
    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg2_2.0.9-3.1ubuntu0.1_lpia.deb
      Size/MD5:  1168018 01c76668fc8f19adc3aa781f9f4b1b17
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gpgsm_2.0.9-3.1ubuntu0.1_lpia.deb
      Size/MD5:   425984 c0cf75eb2f9d329df75d657d31c6f3fc

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.9-3.1ubuntu0.1_powerpc.deb
      Size/MD5:   319038 3a8849451868d3f8130fe672be42795b
    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg2_2.0.9-3.1ubuntu0.1_powerpc.deb
      Size/MD5:  1233954 3bbd99735490dec55b767fa1cb726319
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gpgsm_2.0.9-3.1ubuntu0.1_powerpc.deb
      Size/MD5:   460092 80a46ecf08a5f01f9f5cb151c67c5733

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.9-3.1ubuntu0.1_sparc.deb
      Size/MD5:   284242 c2ee3e14263c458bceef40caffecf807
    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg2_2.0.9-3.1ubuntu0.1_sparc.deb
      Size/MD5:  1156416 fced6a8224a39c0d55394e91774009fa
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gpgsm_2.0.9-3.1ubuntu0.1_sparc.deb
      Size/MD5:   417652 5c122b6e9d4299715ac29d3d7d483ddf

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.12-0ubuntu2.1.diff.gz
      Size/MD5:    45252 1256d26ad9afa14e3288fd1e8e8cbc05
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.12-0ubuntu2.1.dsc
      Size/MD5:     1483 98ba32796b4984691f2104888a2cd2e8
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.12.orig.tar.gz
      Size/MD5:  5391317 411b693bff73ed5461d1b07db2508349

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg-agent_2.0.12-0ubuntu2.1_amd64.deb
      Size/MD5:   334704 037f7ca90b434879f8fbefbbdf36378a
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.12-0ubuntu2.1_amd64.deb
      Size/MD5:  1246990 072e0ea6bb59fa3bbce4aff7b228a439
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gpgsm_2.0.12-0ubuntu2.1_amd64.deb
      Size/MD5:   524584 e62719dafbd7c2c5f99dbff4337a2d95

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg-agent_2.0.12-0ubuntu2.1_i386.deb
      Size/MD5:   303270 c0e4aa5fcc89e00797b8c60d9b035290
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.12-0ubuntu2.1_i386.deb
      Size/MD5:  1173948 fa77a48b18a4db35d6f28b576374d241
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gpgsm_2.0.12-0ubuntu2.1_i386.deb
      Size/MD5:   480382 9bb7f9b289720ed9938b07a9f7376825

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.12-0ubuntu2.1_lpia.deb
      Size/MD5:   301810 ae46a0b80b14b8ab626019e6f097c588
    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg2_2.0.12-0ubuntu2.1_lpia.deb
      Size/MD5:  1177912 d26646f1fff53447dda0e5b29464ff77
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gpgsm_2.0.12-0ubuntu2.1_lpia.deb
      Size/MD5:   478874 0771937dc12c25738c5395357f75f0d3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.12-0ubuntu2.1_powerpc.deb
      Size/MD5:   326554 02d61154b7f1a5d7c38a00b79356f3fd
    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg2_2.0.12-0ubuntu2.1_powerpc.deb
      Size/MD5:  1231128 e08169b0356a24c0d445275044ae8cb4
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gpgsm_2.0.12-0ubuntu2.1_powerpc.deb
      Size/MD5:   509388 14bc48733e68c3d81b2c023740c1e749

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.12-0ubuntu2.1_sparc.deb
      Size/MD5:   297952 8f11786784ff3a97571179469308f809
    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg2_2.0.12-0ubuntu2.1_sparc.deb
      Size/MD5:  1171980 7345b4b22127438996a37bca1c54a742
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gpgsm_2.0.12-0ubuntu2.1_sparc.deb
      Size/MD5:   466618 167455d92f7460df840e538792349f33

Updated packages for Ubuntu 10.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.14-1ubuntu1.2.debian.tar.bz2
      Size/MD5:    40744 9c03e96c6ecce9d40cea797553f87c5c
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.14-1ubuntu1.2.dsc
      Size/MD5:     1515 cccd0c5394961ac8bcaa423ee356e473
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.14.orig.tar.bz2
      Size/MD5:  3982080 54732a0a76d59646b7e0b682fb357c22

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg-agent_2.0.14-1ubuntu1.2_amd64.deb
      Size/MD5:   328348 82f297f0a7bd001a778800919389431c
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.14-1ubuntu1.2_amd64.deb
      Size/MD5:  1305582 eae9b9b47dc4560130407ac58eeb6d65
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gpgsm_2.0.14-1ubuntu1.2_amd64.deb
      Size/MD5:   522872 94f2aed0e1e80cae50c3e28f46f0c9b8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg-agent_2.0.14-1ubuntu1.2_i386.deb
      Size/MD5:   295938 c75aea5948dd4798dc75153c3d6ed24b
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg2/gnupg2_2.0.14-1ubuntu1.2_i386.deb
      Size/MD5:  1228066 24a6a91b9ac8360c7ee5f6d3487248d5
    http://security.ubuntu.com/ubuntu/pool/universe/g/gnupg2/gpgsm_2.0.14-1ubuntu1.2_i386.deb
      Size/MD5:   478024 4713ca65fa253846edb89e3650ba65cb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.14-1ubuntu1.2_powerpc.deb
      Size/MD5:   320314 bb07ee6c242de814bba3694594649e44
    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg2_2.0.14-1ubuntu1.2_powerpc.deb
      Size/MD5:  1288430 7acd42de75cf7cf217034045df7f7100
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gpgsm_2.0.14-1ubuntu1.2_powerpc.deb
      Size/MD5:   509500 03536d3309f849b078fc9825139f2998

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg-agent_2.0.14-1ubuntu1.2_sparc.deb
      Size/MD5:   300336 d166d23c8fd65533290d65ee8759a072
    http://ports.ubuntu.com/pool/main/g/gnupg2/gnupg2_2.0.14-1ubuntu1.2_sparc.deb
      Size/MD5:  1247550 c586ab10d264eceb9539ca95737d7f44
    http://ports.ubuntu.com/pool/universe/g/gnupg2/gpgsm_2.0.14-1ubuntu1.2_sparc.deb
      Size/MD5:   479072 5035985afcd16f0a08fa896fe5b14cc7



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20100811/ef47ea8e/attachment.sig>


More information about the ubuntu-security-announce mailing list