Vulnerability Details : CVE-2014-9087

Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow.

Vulnerability category: OverflowDenial of service

Published 2014-12-01 15:59:12

Updated 2023-05-18 18:08:04

Source Debian GNU/Linux

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2014-9087

Probability of exploitation activity in the next 30 days: 1.66%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-9087

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	[email protected]
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2014-9087

CWE-191 Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Assigned by: [email protected] (Primary)

References for CVE-2014-9087

https://blog.fuzzing-project.org/2-Buffer-overflow-and-other-minor-issues-in-GnuPG-and-libksba-TFPA-0012014.html

Third Party Advisory
http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html

Mailing List;Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2014:234

Not Applicable
http://advisories.mageia.org/MGASA-2014-0498.html

Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:151

Not Applicable
http://www.debian.org/security/2014/dsa-3078

Third Party Advisory
http://www.securityfocus.com/bid/71285

Third Party Advisory;VDB Entry
http://www.ubuntu.com/usn/USN-2427-1

Patch;Third Party Advisory

Products affected by CVE-2014-9087

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Gnupg » Gnupg » Version: 2.1.0 Update Beta1
cpe:2.3:a:gnupg:gnupg:2.1.0:beta1:*:*:*:*:*:*
Matching versions
Gnupg » Gnupg » Version: 2.1.0
cpe:2.3:a:gnupg:gnupg:2.1.0:-:*:*:*:*:*:*
Matching versions
Gnupg » Libksba
Versions before (<) 1.3.2
cpe:2.3:a:gnupg:libksba:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.10
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
Matching versions
Mageia » Mageia » Version: 3.0
cpe:2.3:o:mageia:mageia:3.0:*:*:*:*:*:*:*
Matching versions
Mageia » Mageia » Version: 4.0
cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*
Matching versions