CVE-2014-4617

The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
Affected Products (NVD)
VendorProductVersion
gnupggnupg
2.0
gnupggnupg
2.0.1
gnupggnupg
2.0.3
gnupggnupg
2.0.4
gnupggnupg
2.0.5
gnupggnupg
2.0.6
gnupggnupg
2.0.7
gnupggnupg
2.0.8
gnupggnupg
2.0.10
gnupggnupg
2.0.11
gnupggnupg
2.0.12
gnupggnupg
2.0.13
gnupggnupg
2.0.14
gnupggnupg
2.0.15
gnupggnupg
2.0.16
gnupggnupg
2.0.17
gnupggnupg
2.0.18
gnupggnupg
2.0.19
gnupggnupg
2.0.20
gnupggnupg
2.0.21
gnupggnupg
2.0.22
gnupggnupg
2.0.23
gnupggnupg
𝑥
≤ 1.4.16
gnupggnupg
1.0.0
gnupggnupg
1.0.1
gnupggnupg
1.0.2
gnupggnupg
1.0.3
gnupggnupg
1.0.4
gnupggnupg
1.0.5
gnupggnupg
1.0.6
gnupggnupg
1.0.7
gnupggnupg
1.2.0
gnupggnupg
1.2.1
gnupggnupg
1.2.2
gnupggnupg
1.2.3
gnupggnupg
1.2.4
gnupggnupg
1.2.5
gnupggnupg
1.2.6
gnupggnupg
1.2.7
gnupggnupg
1.3.0
gnupggnupg
1.3.1
gnupggnupg
1.3.2
gnupggnupg
1.3.3
gnupggnupg
1.3.4
gnupggnupg
1.3.6
gnupggnupg
1.3.90
gnupggnupg
1.3.91
gnupggnupg
1.3.92
gnupggnupg
1.3.93
gnupggnupg
1.4.0
gnupggnupg
1.4.2
gnupggnupg
1.4.3
gnupggnupg
1.4.4
gnupggnupg
1.4.5
gnupggnupg
1.4.8
gnupggnupg
1.4.10
gnupggnupg
1.4.11
gnupggnupg
1.4.12
gnupggnupg
1.4.13
gnupggnupg
1.4.14
gnupggnupg
1.4.15
debiandebian_linux
7.0
opensuseopensuse
12.3
opensuseopensuse
13.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnupg2
bookworm
2.2.40-1.1
fixed
bullseye
2.2.27-2+deb11u2
fixed
bullseye (security)
2.2.27-2+deb11u2
fixed
sid
2.2.45-2
fixed
trixie
2.2.44-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnupg
lucid
Fixed 1.4.10-2ubuntu1.6
released
precise
Fixed 1.4.11-3ubuntu2.6
released
saucy
Fixed 1.4.14-1ubuntu2.2
released
trusty
Fixed 1.4.16-1ubuntu2.1
released
gnupg2
lucid
ignored
precise
Fixed 2.0.17-2ubuntu2.12.04.4
released
saucy
Fixed 2.0.20-1ubuntu3.1
released
trusty
Fixed 2.0.22-3ubuntu1.1
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
gpg2
suse enterprise desktop 15
2.2.5-2.9
fixed
suse enterprise desktop 15 SP1
2.2.5-4.6.2
fixed
suse enterprise sap 12 SP5
2.0.24-9.8.1
fixed
suse enterprise sap 15
2.2.5-2.9
fixed
suse enterprise sap 15 SP1
2.2.5-4.6.2
fixed
suse enterprise server 12
2.0.24-1.5
fixed
suse enterprise server 12 SP1
2.0.24-1.5
fixed
suse enterprise server 12 SP2
2.0.24-3.2
fixed
suse enterprise server 12 SP5
2.0.24-9.8.1
fixed
suse enterprise server 15
2.2.5-2.9
fixed
suse enterprise server 15 SP1
2.2.5-4.6.2
fixed
gpg2-lang
suse enterprise desktop 15
2.2.5-2.9
fixed
suse enterprise desktop 15 SP1
2.2.5-4.6.2
fixed
suse enterprise sap 12 SP5
2.0.24-9.8.1
fixed
suse enterprise sap 15
2.2.5-2.9
fixed
suse enterprise sap 15 SP1
2.2.5-4.6.2
fixed
suse enterprise server 12
2.0.24-1.5
fixed
suse enterprise server 12 SP1
2.0.24-1.5
fixed
suse enterprise server 12 SP2
2.0.24-3.2
fixed
suse enterprise server 12 SP5
2.0.24-9.8.1
fixed
suse enterprise server 15
2.2.5-2.9
fixed
suse enterprise server 15 SP1
2.2.5-4.6.2
fixed
Common Weakness Enumeration
References
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=014b2103fcb12f261135e3954f26e9e07b39e342
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html
http://lists.opensuse.org/opensuse-updates/2014-07/msg00010.html
http://secunia.com/advisories/59213
http://secunia.com/advisories/59351
http://secunia.com/advisories/59534
http://secunia.com/advisories/59578
http://www.debian.org/security/2014/dsa-2967
http://www.debian.org/security/2014/dsa-2968
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
http://www.ubuntu.com/usn/USN-2258-1
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=014b2103fcb12f261135e3954f26e9e07b39e342
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html
http://lists.opensuse.org/opensuse-updates/2014-07/msg00010.html
http://secunia.com/advisories/59213
http://secunia.com/advisories/59351
http://secunia.com/advisories/59534
http://secunia.com/advisories/59578
http://www.debian.org/security/2014/dsa-2967
http://www.debian.org/security/2014/dsa-2968
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
http://www.ubuntu.com/usn/USN-2258-1