CVE-2014-3564

Published: 1 August 2014

Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line lengths in a specific order."

Priority

Status

Package	Release	Status
gpgme1.0 Launchpad, Ubuntu, Debian	lucid	Released (1.2.0-1.2ubuntu1.1)
	precise	Released (1.2.0-1.4ubuntu2.1)
	trusty	Released (1.4.3-0.1ubuntu5.1)
	upstream	Released (1.5.1)
	Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77

References

https://ubuntu.com/security/notices/USN-2307-1
https://www.cve.org/CVERecord?id=CVE-2014-3564
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756651
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3564

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›