Members

  • This project does not have any members.

Watchers

  • This project does not have any watchers.

Details

Description

This bug has an associated CVE id.

Such bugs often have restricted access before the publication. Take care that this bug tracker does not yet encrypt mails to subscribers, so for highly sensitive issues take care what you comment in the report while it is still restricted.

Recent Activity

Wed, Feb 24

werner added a commit to T4510: Update our copy of SQLite to 3.28: rGd763548f2e00: build: Require a fixed SQlite version..
Wed, Feb 24, 10:54 PM · CVE

Fri, Feb 12

werner closed T5259: Release Libgcrypt 1.9.1, a subtask of T5275: Exploitable overflow in Libgcrypt 1.9.0, as Resolved.
Fri, Feb 12, 12:34 PM · CVE, libgcrypt

Feb 3 2021

werner closed T5275: Exploitable overflow in Libgcrypt 1.9.0 as Resolved.
Feb 3 2021, 8:07 AM · CVE, libgcrypt

Jan 29 2021

werner changed External Link from https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html to https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html on T5275: Exploitable overflow in Libgcrypt 1.9.0.
Jan 29 2021, 12:34 PM · CVE, libgcrypt
werner changed the status of T5275: Exploitable overflow in Libgcrypt 1.9.0 from Open to Testing.

Fix has been released. Keeping this in testing state for easier visibility of this task.

Jan 29 2021, 11:27 AM · CVE, libgcrypt
werner changed the status of T5259: Release Libgcrypt 1.9.1, a subtask of T5275: Exploitable overflow in Libgcrypt 1.9.0, from Open to Testing.
Jan 29 2021, 11:25 AM · CVE, libgcrypt
werner added a subtask for T5275: Exploitable overflow in Libgcrypt 1.9.0: T5259: Release Libgcrypt 1.9.1.
Jan 29 2021, 10:14 AM · CVE, libgcrypt
werner created T5275: Exploitable overflow in Libgcrypt 1.9.0.
Jan 29 2021, 10:13 AM · CVE, libgcrypt

Sep 4 2020

werner closed T5050: AEAD preference list overflow in 2.2 as Resolved.

Gpg4win 3.113 has also been released. Thus closing this issue.

Sep 4 2020, 5:23 PM · gnupg (gpg22), CVE
werner added a comment to T5050: AEAD preference list overflow in 2.2.

Small correction: The fixed byte I talked about may have the values 1, 2, 3, or 4.

Sep 4 2020, 9:06 AM · gnupg (gpg22), CVE

Sep 3 2020

werner added a comment to T5050: AEAD preference list overflow in 2.2.

This has CVE-2020-25125

Sep 3 2020, 9:56 PM · gnupg (gpg22), CVE
werner added a comment to T5050: AEAD preference list overflow in 2.2.

2.2.23 has been released and announced.

Sep 3 2020, 6:49 PM · gnupg (gpg22), CVE
werner shifted T5050: AEAD preference list overflow in 2.2 from the Restricted Space space to the S1 Public space.
Sep 3 2020, 6:44 PM · gnupg (gpg22), CVE
werner added a commit to T5050: AEAD preference list overflow in 2.2: rGaeb8272ca8aa: gpg: Fix AEAD preference list overflow.
Sep 3 2020, 5:54 PM · gnupg (gpg22), CVE
werner added a comment to T5050: AEAD preference list overflow in 2.2.

The fix will be in the 2.2.23 release (T5045).

Sep 3 2020, 5:20 PM · gnupg (gpg22), CVE
werner created T5050: AEAD preference list overflow in 2.2 in the Restricted Space space.
Sep 3 2020, 3:21 PM · gnupg (gpg22), CVE

Jan 8 2020

werner added a comment to T4755: WoT forgeries using SHA-1.

FWIW, the second listed commit is the right one. You should only look at the STABLE-STABLE-2-2 branch. master and that branch differ; in particular we do not have a cut-off date in master (to be 2.3).

Jan 8 2020, 10:52 AM · CVE, gnupg
werner set External Link to https://sha-mbles.github.io/ on T4755: WoT forgeries using SHA-1.
Jan 8 2020, 10:34 AM · CVE, gnupg

Nov 29 2019

apo added a comment to T4755: WoT forgeries using SHA-1.

I am currently investigating the issue known as CVE-2019-14855 for Debian's LTS version Debian 8 "Jessie" and even Debian 7 "Wheezy".

Nov 29 2019, 11:31 PM · CVE, gnupg

Nov 25 2019

werner closed T4755: WoT forgeries using SHA-1 as Resolved.
Nov 25 2019, 10:11 PM · CVE, gnupg

Nov 24 2019

werner created T4755: WoT forgeries using SHA-1.
Nov 24 2019, 8:26 PM · CVE, gnupg

Nov 6 2019

werner added a project to T4740: GnuPG: Invalid digest algorithm for new certifications made by old keys with GnuPG master: CVE.

That is due to the mitigation for CVE-2019-14855. I need to see how to find a more specific mitigation.

Nov 6 2019, 4:25 PM · CVE, gnupg

Oct 4 2019

werner added a comment to T4683: Release Libgcrypt 1.8.5.

See https://minerva.crocs.fi.muni.cz/ for a description of the timing attack.

Oct 4 2019, 8:57 AM · CVE, Release Info, libgcrypt

Aug 29 2019

werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000440.html on T4683: Release Libgcrypt 1.8.5.
Aug 29 2019, 5:39 PM · CVE, Release Info, libgcrypt
werner closed T4683: Release Libgcrypt 1.8.5 as Resolved.
Aug 29 2019, 3:24 PM · CVE, Release Info, libgcrypt

May 28 2019

werner closed T4510: Update our copy of SQLite to 3.28 as Resolved.
May 28 2019, 5:04 PM · CVE

May 13 2019

werner created T4510: Update our copy of SQLite to 3.28.
May 13 2019, 7:40 PM · CVE

Apr 29 2019

werner added a comment to T4012: Diagnostic is shown with the original filename not being sanitized..
Request for keyThu, 7 Jun 2018 11:48 +0200
Reply from usThu, 7 Jun 2018 19:05 +0200
Report dateFri, 8 Jun 2018 09:14 +0200
Fix committedFri, 8 Jun 2018 11:09 +0200
Announcement and releaseFri, 8 Jun 2018 15:41 +0200
Apr 29 2019, 4:14 PM · gnupg, CVE, Bug Report

Jun 14 2018

olf added a comment to T4016: Libgcrypt release 1.8.3.

Thanks.
So what I remembered was 1 year and 1 month off the real EOL date.

Jun 14 2018, 1:21 AM · Release Info, CVE, libgcrypt

Jun 13 2018

werner closed T4011: CVE-2018-0495 as Resolved.
Jun 13 2018, 6:33 PM · CVE, libgcrypt
werner added a comment to T4011: CVE-2018-0495.

Here is our announcement: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html

Jun 13 2018, 6:32 PM · CVE, libgcrypt
werner added a comment to T4011: CVE-2018-0495.

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

Jun 13 2018, 5:40 PM · CVE, libgcrypt
gniibe added a comment to T4011: CVE-2018-0495.

Informed Debian security team about our change of libgcrypt.

Jun 13 2018, 1:02 PM · CVE, libgcrypt
werner changed the visibility for T4011: CVE-2018-0495.
Jun 13 2018, 12:40 PM · CVE, libgcrypt
werner added a comment to T4011: CVE-2018-0495.

A new installer for GnuPG with Libgcrypt 1.8.3 is now available.

Jun 13 2018, 12:38 PM · CVE, libgcrypt
werner added a comment to T4011: CVE-2018-0495.

Releases are now available. Next task is to build a new GnuPG Windows installer.

Jun 13 2018, 10:40 AM · CVE, libgcrypt
werner closed T4016: Libgcrypt release 1.8.3 as Resolved.

1.8.3 and 1.7.10 are now released. Announcement will follow later the day.

Jun 13 2018, 10:39 AM · Release Info, CVE, libgcrypt
werner closed T4016: Libgcrypt release 1.8.3, a subtask of T4011: CVE-2018-0495, as Resolved.
Jun 13 2018, 10:39 AM · CVE, libgcrypt
gniibe added a comment to T4011: CVE-2018-0495.

Pushed fixes to the repository at 16:00+0900 (09:00+0200). It's 0700Z.

Jun 13 2018, 9:05 AM · CVE, libgcrypt
gniibe added a comment to T4011: CVE-2018-0495.

In master, it's

commit 9010d1576e278a4274ad3f4aa15776c28f6ba965
Author: NIIBE Yutaka <gniibe@fsij.org>
Date:   Wed Jun 13 15:28:58 2018 +0900
Jun 13 2018, 8:59 AM · CVE, libgcrypt
werner updated the task description for T4016: Libgcrypt release 1.8.3.
Jun 13 2018, 8:07 AM · Release Info, CVE, libgcrypt
werner added a comment to T4016: Libgcrypt release 1.8.3.

1.8.3 has not yet been released and thus there is no NEWS entries and there can't be a 1.8.3 tag. You are right that the README still says 1.7. I'll fix that for 1.8.3. Why do you think maintenance of 1.7 stopped; the AUTHORS file and the new EOL statements on the download page say that we are going to maintain it until 2019-06-30.

Jun 13 2018, 8:06 AM · Release Info, CVE, libgcrypt

Jun 12 2018

werner updated subscribers of T4011: CVE-2018-0495.

Publication is planned for the 13th, 1500Z

Jun 12 2018, 1:12 PM · CVE, libgcrypt

Jun 11 2018

olf added a comment to T4016: Libgcrypt release 1.8.3.

I just noticed, that a tag for Libgcrypt 1.8.3 seems to be missing: https://dev.gnupg.org/source/libgcrypt/tags/LIBGCRYPT-1.8-BRANCH/

Jun 11 2018, 11:36 PM · Release Info, CVE, libgcrypt
werner closed T4012: Diagnostic is shown with the original filename not being sanitized. as Resolved.
Jun 11 2018, 11:23 AM · gnupg, CVE, Bug Report
werner renamed T4012: Diagnostic is shown with the original filename not being sanitized. from Diagnostic is shown with the original filename not beeing sanitized. to Diagnostic is shown with the original filename not being sanitized..
Jun 11 2018, 11:23 AM · gnupg, CVE, Bug Report
werner closed T4015: Release 1.4.23, a subtask of T4012: Diagnostic is shown with the original filename not being sanitized., as Resolved.
Jun 11 2018, 11:23 AM · gnupg, CVE, Bug Report
werner closed T4015: Release 1.4.23 as Resolved.
Jun 11 2018, 11:23 AM · Release Info, gnupg (gpg14), CVE
werner added a project to T4015: Release 1.4.23: Release Info.
Jun 11 2018, 9:59 AM · Release Info, gnupg (gpg14), CVE
werner added a project to T4016: Libgcrypt release 1.8.3: Release Info.
Jun 11 2018, 9:58 AM · Release Info, CVE, libgcrypt