Denial of Service Vulnerability in GnuPG Software
CVE-2015-1607

5.5MEDIUM

Key Information:

Vendor

Gnupg

Status
Gnupg
Vendor
CVE Published:
20 November 2019

What is CVE-2015-1607?

The GnuPG software versions prior to 1.4.19, 2.0.27, and 2.1.2 are susceptible to a denial of service vulnerability due to improper handling of bitwise left-shifts in the kbx/keybox-search.c file. This flaw allows remote attackers to craft a malicious keyring file that can trigger faulty memory read operations, resulting in unexpected application behavior and service interruption. The issue is related to sign extensions and the use of 'memcpy' with overlapping memory ranges, which may lead to a crash or other instability in the system.

References

https://blog.fuzzing-project.org/5-Multiple-issues-in-Gnu...
x_refsource_MISC
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/0...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2015/02/13/14
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.