Vulnerability Details : CVE-2014-9087
Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2014-9087
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libksba:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:o:mageia:mageia:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-9087
1.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-9087
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-9087
-
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9087
-
https://blog.fuzzing-project.org/2-Buffer-overflow-and-other-minor-issues-in-GnuPG-and-libksba-TFPA-0012014.html
Buffer overflow and other minor issues in GnuPG and libksba - TFPA 001/2014 | The Fuzzing ProjectThird Party Advisory
-
http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
[Announce] [security fix] Libksba 1.3.2 for GnuPG releasedMailing List;Vendor Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2014:234
mandriva.comNot Applicable
-
http://advisories.mageia.org/MGASA-2014-0498.html
Mageia Advisory: MGASA-2014-0498 - Updated libksba packages fix security vulnerabilityThird Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:151
mandriva.comNot Applicable
-
http://www.debian.org/security/2014/dsa-3078
Debian -- Security Information -- DSA-3078-1 libksbaThird Party Advisory
-
http://www.securityfocus.com/bid/71285
Libksba 'ksba_oid_to_str() Function Buffer Overflow VulnerabilityThird Party Advisory;VDB Entry
-
http://www.ubuntu.com/usn/USN-2427-1
USN-2427-1: Libksba vulnerability | Ubuntu security noticesPatch;Third Party Advisory
Jump to