CVE-2013-4351
First published: Fri Sep 20 2013(Updated: )
GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gnupg Gnupg | =1.4.0 | |
| Gnupg Gnupg | =1.4.2 | |
| Gnupg Gnupg | =1.4.3 | |
| Gnupg Gnupg | =1.4.4 | |
| Gnupg Gnupg | =1.4.5 | |
| Gnupg Gnupg | =1.4.6 | |
| Gnupg Gnupg | =1.4.8 | |
| Gnupg Gnupg | =1.4.10 | |
| Gnupg Gnupg | =1.4.11 | |
| Gnupg Gnupg | =1.4.12 | |
| Gnupg Gnupg | =1.4.13 | |
| Gnupg Gnupg | =2.0 | |
| Gnupg Gnupg | =2.0.1 | |
| Gnupg Gnupg | =2.0.3 | |
| Gnupg Gnupg | =2.0.4 | |
| Gnupg Gnupg | =2.0.5 | |
| Gnupg Gnupg | =2.0.6 | |
| Gnupg Gnupg | =2.0.7 | |
| Gnupg Gnupg | =2.0.8 | |
| Gnupg Gnupg | =2.0.10 | |
| Gnupg Gnupg | =2.0.11 | |
| Gnupg Gnupg | =2.0.12 | |
| Gnupg Gnupg | =2.0.13 | |
| Gnupg Gnupg | =2.0.14 | |
| Gnupg Gnupg | =2.0.15 | |
| Gnupg Gnupg | =2.0.16 | |
| Gnupg Gnupg | =2.0.17 | |
| Gnupg Gnupg | =2.0.18 | |
| Gnupg Gnupg | =2.0.19 | |
| Gnupg Gnupg | =2.1.0-beta1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html
- http://rhn.redhat.com/errata/RHSA-2013-1459.html
- http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138
- http://ubuntu.com/usn/usn-1987-1
- http://www.debian.org/security/2013/dsa-2773
- http://www.debian.org/security/2013/dsa-2774
- http://www.openwall.com/lists/oss-security/2013/09/13/4
- https://bugzilla.redhat.com/show_bug.cgi?id=1010137
- http://seclists.org/oss-sec/2013/q3/599
- https://bugs.gentoo.org/show_bug.cgi?id=484836
- https://bugzilla.novell.com/show_bug.cgi?id=840510
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1010141
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1010142
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1010140
- http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=4bde12206c5bf199dc6e12a74af8da4558ba41bf
- https://rhn.redhat.com/errata/RHSA-2013-1459.html
- https://rhn.redhat.com/errata/RHSA-2013-1458.html
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4351
- vendor/gnupg
- canonical/gnupg gnupg
- version/gnupg gnupg/1.4.0
- version/gnupg gnupg/1.4.2
- version/gnupg gnupg/1.4.3
- version/gnupg gnupg/1.4.4
- version/gnupg gnupg/1.4.5
- version/gnupg gnupg/1.4.6
- version/gnupg gnupg/1.4.8
- version/gnupg gnupg/1.4.10
- version/gnupg gnupg/1.4.11
- version/gnupg gnupg/1.4.12
- version/gnupg gnupg/1.4.13
- version/gnupg gnupg/2.0
- version/gnupg gnupg/2.0.1
- version/gnupg gnupg/2.0.3
- version/gnupg gnupg/2.0.4
- version/gnupg gnupg/2.0.5
- version/gnupg gnupg/2.0.6
- version/gnupg gnupg/2.0.7
- version/gnupg gnupg/2.0.8
- version/gnupg gnupg/2.0.10
- version/gnupg gnupg/2.0.11
- version/gnupg gnupg/2.0.12
- version/gnupg gnupg/2.0.13
- version/gnupg gnupg/2.0.14
- version/gnupg gnupg/2.0.15
- version/gnupg gnupg/2.0.16
- version/gnupg gnupg/2.0.17
- version/gnupg gnupg/2.0.18
- version/gnupg gnupg/2.0.19
- version/gnupg gnupg/2.1.0-beta1