Attached is a debdiff for gnupg2 to fix CVE-2014-4617 in squeeze-lts. Please let me know if you see any problems with it. -- Eric Dorland <eric@kuroneko.ca> 43CF 1228 F726 FD5B 474C E962 C256 FBD5 0022 1E93
diff -Nru gnupg2-2.0.14/debian/changelog gnupg2-2.0.14/debian/changelog
--- gnupg2-2.0.14/debian/changelog 2013-10-09 01:09:19.000000000 -0400
+++ gnupg2-2.0.14/debian/changelog 2014-09-06 19:06:52.000000000 -0400
@@ -1,3 +1,10 @@
+gnupg2 (2.0.14-2+squeeze3) squeeze-lts; urgency=high
+
+ * debian/patches/08-cve-2014-4617.diff: Fixes CVE-2014-4617 "infinite
+ loop when decompressing data packets". (Closes: #752498)
+
+ -- Eric Dorland <eric@debian.org> Sat, 06 Sep 2014 18:58:19 -0400
+
gnupg2 (2.0.14-2+squeeze2) squeeze-security; urgency=low
* debian/patches/{05-cve-2013-4402_p1.diff,06-cve-2013-4402_p2.diff}:
diff -Nru gnupg2-2.0.14/debian/patches/08-cve-2014-4617.diff gnupg2-2.0.14/debian/patches/08-cve-2014-4617.diff
--- gnupg2-2.0.14/debian/patches/08-cve-2014-4617.diff 1969-12-31 19:00:00.000000000 -0500
+++ gnupg2-2.0.14/debian/patches/08-cve-2014-4617.diff 2014-09-06 19:06:52.000000000 -0400
@@ -0,0 +1,67 @@
+From: Werner Koch <wk@gnupg.org>
+Date: Fri, 20 Jun 2014 08:39:26 +0000 (+0200)
+Subject: gpg: Avoid infinite loop in uncompressing garbled packets.
+X-Git-Tag: gnupg-2.0.24~14
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=014b2103fcb12f261135e3954f26e9e07b39e342
+
+gpg: Avoid infinite loop in uncompressing garbled packets.
+
+* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
+--
+
+A packet like (a3 01 5b ff) leads to an infinite loop. Using
+--max-output won't help if it is a partial packet. This patch
+actually fixes a regression introduced on 1999-05-31 (c34c6769).
+Actually it would be sufficient to stuff just one extra 0xff byte.
+Given that this problem popped up only after 15 years, I feel safer to
+allow for a very few FF bytes.
+
+Thanks to Olivier Levillain and Florian Maury for their detailed
+report.
+---
+
+diff --git a/g10/compress.c b/g10/compress.c
+index a91dd23..6e151bc 100644
+--- a/g10/compress.c
++++ b/g10/compress.c
+@@ -161,7 +161,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ IOBUF a, size_t *ret_len )
+ {
+ int zrc;
+- int rc=0;
++ int rc = 0;
++ int leave = 0;
+ size_t n;
+ int nread, count;
+ int refill = !zs->avail_in;
+@@ -179,13 +180,14 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ nread = iobuf_read( a, zfx->inbuf + n, count );
+ if( nread == -1 ) nread = 0;
+ n += nread;
+- /* If we use the undocumented feature to suppress
+- * the zlib header, we have to give inflate an
+- * extra dummy byte to read */
+- if( nread < count && zfx->algo == 1 ) {
+- *(zfx->inbuf + n) = 0xFF; /* is it really needed ? */
+- zfx->algo1hack = 1;
++ /* Algo 1 has no zlib header which requires us to to give
++ * inflate an extra dummy byte to read. To be on the safe
++ * side we allow for up to 4 ff bytes. */
++ if( nread < count && zfx->algo == 1 && zfx->algo1hack < 4) {
++ *(zfx->inbuf + n) = 0xFF;
++ zfx->algo1hack++;
+ n++;
++ leave = 1;
+ }
+ zs->avail_in = n;
+ }
+@@ -205,7 +207,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ else
+ log_fatal("zlib inflate problem: rc=%d\n", zrc );
+ }
+- } while( zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR );
++ } while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR
++ && !leave);
+
+ *ret_len = zfx->outbufsize - zs->avail_out;
+ if( DBG_FILTER )
diff -Nru gnupg2-2.0.14/debian/patches/series gnupg2-2.0.14/debian/patches/series
--- gnupg2-2.0.14/debian/patches/series 2013-10-09 01:09:19.000000000 -0400
+++ gnupg2-2.0.14/debian/patches/series 2014-09-06 19:06:52.000000000 -0400
@@ -5,3 +5,4 @@
05-cve-2013-4402_p1.diff
06-cve-2013-4402_p2.diff
07-cve-2013-4351.diff
+08-cve-2014-4617.diff
Attachment:
signature.asc
Description: Digital signature