On Tue 2015-02-17 00:27:20 -0500, Salvatore Bonaccorso wrote: > Control: fixed -1 2.1.2-1 > > Hi Daniel, > > On Mon, Feb 16, 2015 at 06:09:18PM -0500, Daniel Kahn Gillmor wrote: >> Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck >> as part of the Fuzzing Project: > > Have you checked if gnupg 1.4.x is also affected by both of these > CVEs? We have marked gnupg as "undetermined" so far in the > security-tracker.
Yes, gpg 1.4.x is also affected. In particular, CVE-2015-1606 is known
to affect it. The demonstration vector we have for CVE-2015-1607 is a
keybox file, which is not supported by gpg 1.4.x, but the underlying fix
(normalizing bitshift operations) seems like it should apply to 1.4.x as
well.
I'm not sure how to represent this in the BTS; should i clone this and
reassign it to the gnupg package, or is there a way to make this bug
report apply to both gnupg and gnupg2?
I'm working today on getting patches for both the 2.0.x and 1.4.x
branches.
--dkg
signature.asc
Description: PGP signature
