CVE-2014-9087 - Vulnerability Details

Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Gnupg	Gnupg Libksba
Mageia	Mageia

Configuration 1 [-]

OR	cpe:2.3:o:mageia:mageia:3.0:::::::*
	cpe:2.3:o:mageia:mageia:4.0:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*

Configuration 3 [-]

cpe:2.3:a:gnupg:libksba:*:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:14.10:::::::*

Configuration 5 [-]

OR	cpe:2.3:a:gnupg:gnupg:2.1.0:-::::::
	cpe:2.3:a:gnupg:gnupg:2.1.0:beta1::::::

No data.

References

Link	Providers
http://advisories.mageia.org/MGASA-2014-0498.html
http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
http://secunia.com/advisories/60073
http://secunia.com/advisories/60189
http://secunia.com/advisories/60233
http://www.debian.org/security/2014/dsa-3078
http://www.mandriva.com/security/advisories?name=MDVSA-2014:234
http://www.mandriva.com/security/advisories?name=MDVSA-2015:151
http://www.securityfocus.com/bid/71285
http://www.ubuntu.com/usn/USN-2427-1
https://blog.fuzzing-project.org/2-Buffer-overflow-and-other-minor-issues-in-GnuPG-and-libksba-TFPA-0012014.html
https://nvd.nist.gov/vuln/detail/CVE-2014-9087
https://www.cve.org/CVERecord?id=CVE-2014-9087

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2014-12-01T15:00:00

Updated: 2024-08-06T13:33:13.454Z

Reserved: 2014-11-26T00:00:00

Link: CVE-2014-9087

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-12-01T15:59:11.797

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-9087

Redhat

Severity : Moderate

Publid Date: 2014-11-25T00:00:00Z

Links: CVE-2014-9087 - Bugzilla

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object