Progeny Security Advisory: gnupg format string vulnerability
May 30, 2001, 23:26 (0 Talkback[s])
From: Progeny Security Team <security@progeny.com>
Subject: PROGENY-SA-2001-16: gnupg format string vulnerability
Date: Wed, 30 May 2001 17:11:19 -0500 (EST)
---------------------------------------------------------------------------
PROGENY SERVICE NETWORK -- SECURITY ADVISORY PROGENY-SA-2001-16
---------------------------------------------------------------------------
Synopsis: gnupg format string vulnerability
Software: gnupg
History:
2001-05-29 Vulnerability announced
2001-05-29 Vendor patch/fix available
2001-05-30 Update available in Progeny archive
Credits: fish stiqz <fish@synnergy.net>
Affects: Progeny Debian (gnupg prior to 1.0.4-2progeny1)
Progeny Only: NO
Vendor-Status: New Version Released
(gnupg_1.0.4-2progeny1)
$Progeny: security/advisory/PROGENY-SA-2001-16,v 1.1 2001/05/30 22:04:10 jdaily Exp $
---------------------------------------------------------------------------
SUMMARY
Gnu Privacy Guard (GnuPG, aka GPG) is an encryption program that
provides functionality similar to PGP. It contains a format string
vulnerability that can be used to invoke shell commands with
the currently logged-on user's privileges.
DETAILED DESCRIPTION
One indirect invocation of vfprintf neglects to pass "%s" as the first
argument, allowing a filename to include format strings and with
careful planning invoke arbitrary shell code.
Note that the name of the file to be decrypted is irrelevant; what
matters is the filename that was originally encrypted.
In practice, this would be difficult to exploit reliably, but sample
code for Linux has been published to Bugtraq that provides a remote
shell.
SOLUTION (See also: UPDATING VIA APT-GET)
Upgrade to a fixed version of gnupg. gnupg version 1.0.4-2progeny1
corrects the problem. For your convenience, you may upgrade to the
gnupg_1.0.4-2progeny1 package.
UPDATING VIA APT-GET
1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
update repository:
deb http://archive.progeny.com/progeny updates/newton/
2. Update your cache of available packages for apt(8).
Example:
# apt-get update
3. Using apt(8), install the new package. apt(8) will download the
update, verify its integrity with md5, and then install the
package on your system with dpkg(8).
Example:
# apt-get install gnupg
UPDATING VIA DPKG
1. Use your preferred FTP/HTTP client to retrieve the following
updated files from Progeny's update archive at:
http://archive.progeny.com/progeny/updates/newton/
MD5 Checksum Filename
-------------------------------- -------------------------------------
ede2df0c58899edce9e654c6f28a3edb gnupg_1.0.4-2progeny1_i386.deb/
Example:
$ wget \
http://archive.progeny.com/progeny/updates/newton/gnupg_1.0.4-2progeny1_i386.deb
2. Use the md5sum(1) command on the retrieved files to verify that
they match the MD5 checksum provided in this advisory:
Example:
$ md5sum gnupg_1.0.4-2progeny1_i386.deb
3. Then install the replacement package(s) using dpkg(8).
Example:
# dpkg --install gnupg_1.0.4-2progeny1_i386.deb
WORKAROUND
No known workaround exists for this vulnerability.
MORE INFORMATION
The GnuPG homepage is located at http://www.gnupg.org/
The original post to Bugtraq with full details can be found at
http://archives.indenial.com/hypermail/bugtraq/2001/May2001/0275.html.
Progeny advisories can be found at http://www.progeny.com/security/.
---------------------------------------------------------------------------
pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>
