Vulnerability Details CVE-2014-9087
Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.048
EPSS Ranking 88.9%
CVSS Severity
CVSS v2 Score 7.5
References
- http://advisories.mageia.org/MGASA-2014-0498.html
- http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
- http://secunia.com/advisories/60073
- http://secunia.com/advisories/60189
- http://secunia.com/advisories/60233
- http://www.debian.org/security/2014/dsa-3078
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:234
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:151
- http://www.securityfocus.com/bid/71285
- http://www.ubuntu.com/usn/USN-2427-1
- https://blog.fuzzing-project.org/2-Buffer-overflow-and-other-minor-issues-in-GnuPG-and-libksba-TFPA-0012014.html
- http://advisories.mageia.org/MGASA-2014-0498.html
- http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
- http://secunia.com/advisories/60073
- http://secunia.com/advisories/60189
- http://secunia.com/advisories/60233
- http://www.debian.org/security/2014/dsa-3078
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:234
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:151
- http://www.securityfocus.com/bid/71285
- http://www.ubuntu.com/usn/USN-2427-1
- https://blog.fuzzing-project.org/2-Buffer-overflow-and-other-minor-issues-in-GnuPG-and-libksba-TFPA-0012014.html
Products affected by CVE-2014-9087
-
cpe:2.3:a:gnupg:gnupg:2.1.0
-
cpe:2.3:a:gnupg:libksba:0.0.0
-
cpe:2.3:a:gnupg:libksba:0.2.0
-
cpe:2.3:a:gnupg:libksba:0.2.1
-
cpe:2.3:a:gnupg:libksba:0.2.2
-
cpe:2.3:a:gnupg:libksba:0.2.3
-
cpe:2.3:a:gnupg:libksba:0.4.0
-
cpe:2.3:a:gnupg:libksba:0.4.1
-
cpe:2.3:a:gnupg:libksba:0.4.2
-
cpe:2.3:a:gnupg:libksba:0.4.3
-
cpe:2.3:a:gnupg:libksba:0.4.4
-
cpe:2.3:a:gnupg:libksba:0.4.5
-
cpe:2.3:a:gnupg:libksba:0.4.6
-
cpe:2.3:a:gnupg:libksba:0.4.7
-
cpe:2.3:a:gnupg:libksba:0.9.0
-
cpe:2.3:a:gnupg:libksba:0.9.1
-
cpe:2.3:a:gnupg:libksba:0.9.10
-
cpe:2.3:a:gnupg:libksba:0.9.11
-
cpe:2.3:a:gnupg:libksba:0.9.12
-
cpe:2.3:a:gnupg:libksba:0.9.13
-
cpe:2.3:a:gnupg:libksba:0.9.14
-
cpe:2.3:a:gnupg:libksba:0.9.15
-
cpe:2.3:a:gnupg:libksba:0.9.16
-
cpe:2.3:a:gnupg:libksba:0.9.2
-
cpe:2.3:a:gnupg:libksba:0.9.3
-
cpe:2.3:a:gnupg:libksba:0.9.4
-
cpe:2.3:a:gnupg:libksba:0.9.5
-
cpe:2.3:a:gnupg:libksba:0.9.6
-
cpe:2.3:a:gnupg:libksba:0.9.7
-
cpe:2.3:a:gnupg:libksba:0.9.8
-
cpe:2.3:a:gnupg:libksba:0.9.9
-
cpe:2.3:a:gnupg:libksba:1.0.0
-
cpe:2.3:a:gnupg:libksba:1.0.1
-
cpe:2.3:a:gnupg:libksba:1.0.2
-
cpe:2.3:a:gnupg:libksba:1.0.3
-
cpe:2.3:a:gnupg:libksba:1.0.4
-
cpe:2.3:a:gnupg:libksba:1.0.5
-
cpe:2.3:a:gnupg:libksba:1.0.6
-
cpe:2.3:a:gnupg:libksba:1.0.7
-
cpe:2.3:a:gnupg:libksba:1.0.8
-
cpe:2.3:a:gnupg:libksba:1.1.0
-
cpe:2.3:a:gnupg:libksba:1.2.0
-
cpe:2.3:a:gnupg:libksba:1.3.0
-
cpe:2.3:a:gnupg:libksba:1.3.1
-
cpe:2.3:o:canonical:ubuntu_linux:12.04
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:14.10
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:mageia:mageia:3.0
-
cpe:2.3:o:mageia:mageia:4.0