-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

##
## Patch description of patch 159ed043c7b3f46926263991e83271cf
##

Kind: security

Shortdescription.german:  Der GNU Privacy Guard. Ver- und Entschlüsselung sowie Signatur von Daten
Shortdescription.english:  The GNU Privacy Guard. Encrypts, decrypts, and signs data

Longdescription.german:
GNU Privacy Guard (gpg) erlaubt es, eine Nachricht 
aufzubauen, die den Signaturcheck mittels "--verify" 
korrekt abschliesst aber einen anderen potentiell 
gefährlichen Inhalt mittels "-o --batch" extrahiert.  Dies 
ist dadurch möglich, das GPG Nachrichten mehrere Text und 
Signaturteile enthalten können und "--verify" lax in der 
Verifikation ist und bereits bei einer gültigen Signatur 
die komplette Nachricht als gültig markiert.  Dieses 
Problem wurde durch eine Einschänkung der "--verify" Option 
behoben.  Dieses Problem konnte von einem entferntem 
Angreifer benutzt werden, um durch Ersetzen von YOU Patches 
auf einem kompromittierten YOU Mirror Server Code auf dem 
Rechner eines Benutzers auszuführen, der gerade YAST Online 
Update benutzt.  Dieses Problem hat die Mitre CVE ID 
CVE-2006-0049.
Namreg.noitpircsedgnol:

Longdescription.english:
The GNU Privacy Guard (GPG) allows crafting a message which 
could check out correct using "--verify", but would extract 
a different, potentially malicious content when using "-o 
- --batch".  The reason for this is that a .gpg or .asc file 
can contain multiple  plaintext and signature streams and 
the handling of this stream is only possible when correctly 
following the gpg state.  The gpg "--verify" option has 
been changed to be way more strict than before and fail on 
files with multiple signatures/blocks to mitigate the 
problem of doing --verify and then -o extraction.  This 
problem could be used by an attacker to remotely execute 
code by using handcrafted YaST Online Patch files put onto 
a compromised YOU mirror server and waiting for the user to 
run YOU.  This problem is tracked by the Mitre CVE ID 
CVE-2006-0049.
Hsilgne.noitpircsedgnol:

Size: 4645

Buildtime: 1141924062

Patchname: gpg
Patchversion: 52802

MinYaST1Version:
MinYaST2Version:
UpdateOnlyInstalled: true

Packages:
##
## -----> gpg <-----
##
Filename: gpg.rpm
Label: The GNU Privacy Guard. Encrypts, decrypts, and signs data
Series: i586
Size: 4745767 1558483
PatchRpmBasedOn: 1.4.2-5 1.4.2-5.2
PatchRpmSize: 4745767 737076
Deltas:
    gpg-1.4.2-5_5.4.i586.delta.rpm 129338 1130c7a951c178083e73d749bb6bea52 gpg-1.4.2-5 1126291783 3d087006bf53e2a407184c421674cde9 gpg-1.4.2-5-8f59d274a00c952ed4a44e5908ada76ba810
    gpg-1.4.2-5.2_5.4.i586.delta.rpm 127586 2dc5770388dbfecc084a3c7157df07a8 gpg-1.4.2-5.2 1140013201 f1422c0264ff3e270a56d03d4b47e762 gpg-1.4.2-5.2-cba3e0a5f461cf2f7dea7dd2fa5d977a842e30
Satled:
Buildtime: 1141924062
BuiltFrom: gpg-1.4.2-5.4.src.rpm
DepAND:
DepOR:
DepExcl:
Flag:
Category:
RpmGroup: Productivity/Security
Copyright: GPL
AuthorName: Werner Koch <werner.koch@guug.de>
AuthorAddress:
Version: 1.4.2-5.4
StartCommand:
Obsoletes:
Requires: info /bin/sh /bin/sh rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 libbz2.so.1 libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.2) libc.so.6(GLIBC_2.3) libc.so.6(GLIBC_2.3.3) libc.so.6(GLIBC_2.3.4) libdl.so.2 libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1) libldap-2.2.so.7 libresolv.so.2 libresolv.so.2(GLIBC_2.0) libresolv.so.2(GLIBC_2.2) libz.so.1 rpmlib(PayloadIsBzip2) <= 3.0.5-1
Provides: gnupg pgpgpg gpg = 1.4.2-5.4
##
## -----> gpg <-----
##
Filename: gpg.rpm
Label: The GNU Privacy Guard. Encrypts, decrypts, and signs data
Series: ppc
Size: 5113468 1597733
PatchRpmBasedOn: 1.4.2-5 1.4.2-5.2
PatchRpmSize: 5113468 780678
Deltas:
    gpg-1.4.2-5_5.4.ppc.delta.rpm 175357 e9b72e31e257f6cb1600c20343c7bf54 gpg-1.4.2-5 1126306554 a0c2e86e23c555fa7db245fd5741a591 gpg-1.4.2-5-7b294c3989ed9042b184ec5b72d62ac5a810
    gpg-1.4.2-5.2_5.4.ppc.delta.rpm 115452 078e1022cb35b4b35dc9619c1b72b0e6 gpg-1.4.2-5.2 1140013672 7e444671cbd7c2d018dae0b8f9d46ddc gpg-1.4.2-5.2-423c5559cdfb630491374c3d0baf913c842e30
Satled:
Buildtime: 1141923915
BuiltFrom: gpg-1.4.2-5.4.src.rpm
DepAND:
DepOR:
DepExcl:
Flag:
Category:
RpmGroup: Productivity/Security
Copyright: GPL
AuthorName: Werner Koch <werner.koch@guug.de>
AuthorAddress:
Version: 1.4.2-5.4
StartCommand:
Obsoletes:
Requires: info /bin/sh /bin/sh rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 libbz2.so.1 libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.2) libc.so.6(GLIBC_2.3) libc.so.6(GLIBC_2.3.3) libc.so.6(GLIBC_2.3.4) libdl.so.2 libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1) libldap-2.2.so.7 libresolv.so.2 libresolv.so.2(GLIBC_2.0) libresolv.so.2(GLIBC_2.2) libz.so.1 rpmlib(PayloadIsBzip2) <= 3.0.5-1
Provides: gnupg pgpgpg gpg = 1.4.2-5.4
##
## -----> gpg <-----
##
Filename: gpg.rpm
Label: The GNU Privacy Guard. Encrypts, decrypts, and signs data
Series: x86_64
Size: 4817286 1600277
PatchRpmBasedOn: 1.4.2-5 1.4.2-5.2
PatchRpmSize: 4817286 782862
Deltas:
    gpg-1.4.2-5_5.4.x86_64.delta.rpm 144612 3f7e9979a2e6127af13c15cefd541da2 gpg-1.4.2-5 1126300227 06cfe8039b4f45d62a7f2338472d3843 gpg-1.4.2-5-b28345b2ca6a47a725cfb5e22b0eabb3a810
    gpg-1.4.2-5.2_5.4.x86_64.delta.rpm 138256 23d60a4cbfe96d69bf96ef89ba4ca055 gpg-1.4.2-5.2 1140013301 b74ac7c35e44572b30c480bdce458450 gpg-1.4.2-5.2-62c483ad75691866c5507400d8e9fe2c842e30
Satled:
Buildtime: 1141924019
BuiltFrom: gpg-1.4.2-5.4.src.rpm
DepAND:
DepOR:
DepExcl:
Flag:
Category:
RpmGroup: Productivity/Security
Copyright: GPL
AuthorName: Werner Koch <werner.koch@guug.de>
AuthorAddress:
Version: 1.4.2-5.4
StartCommand:
Obsoletes:
Requires: info /bin/sh /bin/sh rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 libbz2.so.1()(64bit) libc.so.6()(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.3)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libdl.so.2()(64bit) libdl.so.2(GLIBC_2.2.5)(64bit) libldap-2.2.so.7()(64bit) libresolv.so.2()(64bit) libresolv.so.2(GLIBC_2.2.5)(64bit) libz.so.1()(64bit) rpmlib(PayloadIsBzip2) <= 3.0.5-1
Provides: gnupg pgpgpg gpg = 1.4.2-5.4
Segakcap:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEEbMZqE7a6JyACsoRApd3AJ9Jvqiex8aRwNOr3sOTeuphbLqxgwCc
DOY8QdUy5YKbkubyVIEWNLLKMC4=
=eGsu
-----END PGP SIGNATURE-----