[v2.7] CVE-2013-4351: GnuPG treats no-usage-permitted keys as all-usages-permitted
GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
•MLIST:[oss-security] 20130913 Re: GnuPG treats no-usage-permitted
keys as all-usages-permitted
•URL:http://www.openwall.com/lists/oss-security/2013/09/13/4
•CONFIRM:http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138
•CONFIRM:https://bugzilla.redhat.com/show\_bug.cgi?id=1010137
•SUSE:openSUSE-SU-2013:1526
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html
•SUSE:openSUSE-SU-2013:1532
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html
•UBUNTU:USN-1987-1
•URL:http://ubuntu.com/usn/usn-1987-1
(from redmine: issue id 2432, created on 2013-11-22, closed on 2013-12-02)
- Relations:
- parent #2428 (closed)