CVE-2015-1607

EPSS 0.63%
Published 20.11.2019 19:15:11
Last modified 21.11.2024 02:25:46
Source cve@mitre.org
Teams watchlist Login
Open Login

kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and "memcpy with overlapping ranges."

Affected products Warnungen 0 Metrics 3 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Gnupg ≫ Gnupg Version < 1.4.19

Gnupg ≫ Gnupg Version >= 2.0 < 2.0.27

Gnupg ≫ Gnupg Version >= 2.1.0 < 2.1.2

Canonical ≫ Ubuntu Linux Version10.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version12.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version14.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version14.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.63%	0.679

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:N/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.openwall.com/lists/oss-security/2015/02/13/14

Third Party Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2015/02/14/6

Third Party Advisory

Mailing List

https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html

Third Party Advisory

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=2183683bd633818dd031b090b5530951de76f392

http://www.securityfocus.com/bid/72610

Third Party Advisory

VDB Entry