Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Caldera Security Advisory: gnupg

Jun 08, 2001, 23:12 (0 Talkback[s])
From: Caldera Support Information 
Subject: [CSSA-2001-020.0] Format bug in gnupg
Date: Fri, 8 Jun 2001 12:17:23 -0600


____________________________________________________________________________
                   Caldera International, Inc.  Security Advisory

Subject:                format bug in gnupg
Advisory number:        CSSA-2001-020.0
Issue date:             2001 June, 08
Cross reference:
____________________________________________________________________________


1. Problem Description

   There is a format string problem in the printing of filenames of
   GnuPG. It is possible that a remote attacker creates a mailmessage
   that when opened with a mailprogram exploits the problem and
   allows the attacker to gain access to the users account.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                All packages previous to
                                gnupg-1.0.6-1

   OpenLinux eServer 2.3.1      All packages previous to
   and OpenLinux eBuilder       gnupg-1.0.6-1

   OpenLinux eDesktop 2.4       All packages previous to
                                gnupg-1.0.6-1

3. Solution

   Workaround

      none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
   
   4.2 Verification

       c34cd4d1c2de4caebdb52b6057752127  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv gnu*.i386.rpm

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       d8c6d2f3ca54e5e677b8bec6b5089687  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fvh gnu*i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       f4931404eab64b6365b4abba69a42ef4  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

           rpm -Fvh gnu*i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10044.

8. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements:

   Caldera International wishes to thank Synnergy Networks for
   reporting the problem and the GnuPG folks for providing a fixed
   version.

____________________________________________________________________________