Vulnerabilities > CVE-2010-2547 - Use After Free vulnerability in multiple products

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
gnupg
fedoraproject
debian
CWE-416
nessus

Summary

Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2010-0603.NASL
    descriptionAn updated gnupg2 package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. A use-after-free flaw was found in the way gpgsm, a Cryptographic Message Syntax (CMS) encryption and signing tool, handled X.509 certificates with a large number of Subject Alternate Names. A specially crafted X.509 certificate could, when imported, cause gpgsm to crash or, possibly, execute arbitrary code. (CVE-2010-2547) All gnupg2 users should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id48252
    published2010-08-05
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/48252
    titleRHEL 5 : gnupg2 (RHSA-2010:0603)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2010:0603. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(48252);
      script_version ("1.20");
      script_cvs_date("Date: 2019/10/25 13:36:15");
    
      script_cve_id("CVE-2010-2547");
      script_bugtraq_id(41945);
      script_xref(name:"RHSA", value:"2010:0603");
    
      script_name(english:"RHEL 5 : gnupg2 (RHSA-2010:0603)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An updated gnupg2 package that fixes one security issue is now
    available for Red Hat Enterprise Linux 5.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and
    creating digital signatures, compliant with the proposed OpenPGP
    Internet standard and the S/MIME standard.
    
    A use-after-free flaw was found in the way gpgsm, a Cryptographic
    Message Syntax (CMS) encryption and signing tool, handled X.509
    certificates with a large number of Subject Alternate Names. A
    specially crafted X.509 certificate could, when imported, cause gpgsm
    to crash or, possibly, execute arbitrary code. (CVE-2010-2547)
    
    All gnupg2 users should upgrade to this updated package, which
    contains a backported patch to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2010-2547"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2010:0603"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected gnupg2 package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gnupg2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/08/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/08/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2010:0603";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"gnupg2-2.0.10-3.el5_5.1")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"gnupg2-2.0.10-3.el5_5.1")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"gnupg2-2.0.10-3.el5_5.1")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnupg2");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_GPG2-100728.NASL
    descriptionThis update fixes a vulnerability of GnuPG2 to arbitrary code execution by context-dependent attackers due to reusing a freed pointer when verifying a signature or importing a certificate with many
    last seen2020-06-01
    modified2020-06-02
    plugin id50913
    published2010-12-02
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50913
    titleSuSE 11 / 11.1 Security Update : gpg2 (SAT Patch Numbers 2820 / 2822)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50913);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/25 13:36:39");
    
      script_cve_id("CVE-2010-2547");
    
      script_name(english:"SuSE 11 / 11.1 Security Update : gpg2 (SAT Patch Numbers 2820 / 2822)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes a vulnerability of GnuPG2 to arbitrary code
    execution by context-dependent attackers due to reusing a freed
    pointer when verifying a signature or importing a certificate with
    many 'Subject Alternate Names'. (CVE-2010-2547)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=625947"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-2547.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Apply SAT patch number 2820 / 2822 as appropriate."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:gpg2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:gpg2-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libgcrypt11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libgcrypt11-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libgpg-error0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libgpg-error0-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libksba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/07/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"gpg2-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"gpg2-lang-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"libgcrypt11-1.4.1-6.7")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"libgpg-error0-1.6-8.6")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"libksba-1.0.4-1.16")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"gpg2-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"gpg2-lang-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libgcrypt11-1.4.1-6.7")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libgcrypt11-32bit-1.4.1-6.7")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libgpg-error0-1.6-8.6")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libgpg-error0-32bit-1.6-8.6")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libksba-1.0.4-1.16")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"gpg2-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"gpg2-lang-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"gpg2-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"gpg2-lang-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"gpg2-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"gpg2-lang-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"libgcrypt11-1.4.1-6.7")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"libgpg-error0-1.6-8.6")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"libksba-1.0.4-1.16")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"libgcrypt11-32bit-1.4.1-6.7")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"libgpg-error0-32bit-1.6-8.6")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"libgcrypt11-32bit-1.4.1-6.7")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"libgpg-error0-32bit-1.6-8.6")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"gpg2-2.0.9-25.26.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"gpg2-lang-2.0.9-25.26.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2010-0603.NASL
    descriptionFrom Red Hat Security Advisory 2010:0603 : An updated gnupg2 package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. A use-after-free flaw was found in the way gpgsm, a Cryptographic Message Syntax (CMS) encryption and signing tool, handled X.509 certificates with a large number of Subject Alternate Names. A specially crafted X.509 certificate could, when imported, cause gpgsm to crash or, possibly, execute arbitrary code. (CVE-2010-2547) All gnupg2 users should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id68078
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68078
    titleOracle Linux 5 : gnupg2 (ELSA-2010-0603)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2010:0603 and 
    # Oracle Linux Security Advisory ELSA-2010-0603 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68078);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/25 13:36:08");
    
      script_cve_id("CVE-2010-2547");
      script_bugtraq_id(41945);
      script_xref(name:"RHSA", value:"2010:0603");
    
      script_name(english:"Oracle Linux 5 : gnupg2 (ELSA-2010-0603)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2010:0603 :
    
    An updated gnupg2 package that fixes one security issue is now
    available for Red Hat Enterprise Linux 5.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and
    creating digital signatures, compliant with the proposed OpenPGP
    Internet standard and the S/MIME standard.
    
    A use-after-free flaw was found in the way gpgsm, a Cryptographic
    Message Syntax (CMS) encryption and signing tool, handled X.509
    certificates with a large number of Subject Alternate Names. A
    specially crafted X.509 certificate could, when imported, cause gpgsm
    to crash or, possibly, execute arbitrary code. (CVE-2010-2547)
    
    All gnupg2 users should upgrade to this updated package, which
    contains a backported patch to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2010-August/001577.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected gnupg2 package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:gnupg2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/08/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL5", reference:"gnupg2-2.0.10-3.el5_5.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnupg2");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_GPG2-100728.NASL
    descriptionGnuPG2 was vulnerable to arbitrary code execution by context-dependent attackers because of reusing a freed pointer when verifying a signature or importing a certificate with many
    last seen2020-06-01
    modified2020-06-02
    plugin id48259
    published2010-08-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/48259
    titleopenSUSE Security Update : gpg2 (openSUSE-SU-2010:0479-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update gpg2-2819.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(48259);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/25 13:36:38");
    
      script_cve_id("CVE-2010-2547");
    
      script_name(english:"openSUSE Security Update : gpg2 (openSUSE-SU-2010:0479-1)");
      script_summary(english:"Check for the gpg2-2819 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "GnuPG2 was vulnerable to arbitrary code execution by context-dependent
    attackers because of reusing a freed pointer when verifying a
    signature or importing a certificate with many 'Subject Alternate
    Names'. (CVE-2010-2547)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=625947"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2010-08/msg00016.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected gpg2 packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gpg2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gpg2-lang");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/07/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/08/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.1", reference:"gpg2-2.0.9-25.109.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"gpg2-lang-2.0.9-25.109.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gpg2");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-970-1.NASL
    descriptionIt was discovered that GPGSM in GnuPG2 did not correctly handle certificates with a large number of Subject Alternate Names. If a user or automated system were tricked into processing a specially crafted certificate, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id48315
    published2010-08-12
    reporterUbuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/48315
    titleUbuntu 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : gnupg2 vulnerability (USN-970-1)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2010-240-01.NASL
    descriptionNew gnupg2 packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id48919
    published2010-08-29
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/48919
    titleSlackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : gnupg2 (SSA:2010-240-01)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201110-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201110-15 (GnuPG: User-assisted execution of arbitrary code) The GPGSM utility in GnuPG contains a use-after-free vulnerability that may be exploited when importing a crafted X.509 certificate explicitly or during the signature verification process. Impact : An unauthenticated remote attacker may execute arbitrary code with the privileges of the user running GnuPG by enticing them to import a crafted certificate. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id56590
    published2011-10-24
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56590
    titleGLSA-201110-15 : GnuPG: User-assisted execution of arbitrary code
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_GPG2-100728.NASL
    descriptionGnuPG2 was vulnerable to arbitrary code execution by context-dependent attackers because of reusing a freed pointer when verifying a signature or importing a certificate with many
    last seen2020-06-01
    modified2020-06-02
    plugin id48260
    published2010-08-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/48260
    titleopenSUSE Security Update : gpg2 (openSUSE-SU-2010:0479-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-143.NASL
    descriptionA vulnerability has been discovered and corrected in gnupg2 : Importing a certificate with more than 98 Subject Alternate Names via GPGSM
    last seen2020-06-01
    modified2020-06-02
    plugin id48209
    published2010-08-02
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/48209
    titleMandriva Linux Security Advisory : gnupg2 (MDVSA-2010:143)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GPG2-7107.NASL
    descriptionThis update fixes a vulnerability of GnuPG2 to arbitrary code execution by context-dependent attackers due to reusing a freed pointer when verifying a signature or importing a certificate with many
    last seen2020-06-01
    modified2020-06-02
    plugin id49856
    published2010-10-11
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49856
    titleSuSE 10 Security Update : gpg2 (ZYPP Patch Number 7107)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20100804_GNUPG2_ON_SL5_X.NASL
    descriptionA use-after-free flaw was found in the way gpgsm, a Cryptographic Message Syntax (CMS) encryption and signing tool, handled X.509 certificates with a large number of Subject Alternate Names. A specially crafted X.509 certificate could, when imported, cause gpgsm to crash or, possibly, execute arbitrary code. (CVE-2010-2547)
    last seen2020-06-01
    modified2020-06-02
    plugin id60829
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60829
    titleScientific Linux Security Update : gnupg2 on SL5.x i386/x86_64
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2076.NASL
    descriptionIt was discovered that GnuPG 2 uses a freed pointer when verifying a signature or importing a certificate with many Subject Alternate Names, potentially leading to arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id47890
    published2010-07-29
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47890
    titleDebian DSA-2076-1 : gnupg2 - use-after-free
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_GPG2-100728.NASL
    descriptionGnuPG2 was vulnerable to arbitrary code execution by context-dependent attackers because of reusing a freed pointer when verifying a signature or importing a certificate with many
    last seen2020-06-01
    modified2020-06-02
    plugin id75523
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75523
    titleopenSUSE Security Update : gpg2 (openSUSE-SU-2010:0479-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-11413.NASL
    description - Fri Jul 23 2010 Rex Dieter <rdieter at fedoraproject.org> - 2.0.14-4 - gpgsm realloc patch - Fri Jun 18 2010 Tomas Mraz <tmraz at redhat.com> - 2.0.14-3 - initialize small amount of secmem for list of algorithms in help (#598847) (necessary in the FIPS mode of libgcrypt) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id48229
    published2010-08-03
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/48229
    titleFedora 13 : gnupg2-2.0.14-4.fc13 (2010-11413)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2010-0603.NASL
    descriptionAn updated gnupg2 package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. A use-after-free flaw was found in the way gpgsm, a Cryptographic Message Syntax (CMS) encryption and signing tool, handled X.509 certificates with a large number of Subject Alternate Names. A specially crafted X.509 certificate could, when imported, cause gpgsm to crash or, possibly, execute arbitrary code. (CVE-2010-2547) All gnupg2 users should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id48268
    published2010-08-09
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/48268
    titleCentOS 5 : gnupg2 (CESA-2010:0603)

Redhat

advisories
bugzilla
id618156
titleCVE-2010-2547 GnuPG 2: use-after-free when importing certificate with many alternate names
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • commentgnupg2 is earlier than 0:2.0.10-3.el5_5.1
      ovaloval:com.redhat.rhsa:tst:20100603001
    • commentgnupg2 is signed with Red Hat redhatrelease key
      ovaloval:com.redhat.rhsa:tst:20100603002
rhsa
idRHSA-2010:0603
released2010-08-04
severityModerate
titleRHSA-2010:0603: gnupg2 security update (Moderate)
rpms
  • gnupg2-0:2.0.10-3.el5_5.1
  • gnupg2-debuginfo-0:2.0.10-3.el5_5.1

References