Linux Today: Linux News On Internet Time.

EnGarde Secure Linux Security Advisory: gnupg format string vulnerability

May 30, 2001, 19:45 (0 Talkback[s])
From: EnGarde Secure Linux <security@guardiandigital.com>
Subject: [ESA-20010530-01]  gnupg format string vulnerability
Date: Wed, 30 May 2001 14:54:59 -0400 (EDT)

| EnGarde Secure Linux Security Advisory                    May 30, 2001 |
| http://www.engardelinux.org/                           ESA-20010530-01 |
|                                                                        |
| Package:  gnupg                                                        |
| Summary:  There is a format string vulnerability in the gnupg package. |

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.

  There is a format string vulnerability in gnupg which can allow an
  attacker to exploit a victim by sending them a malicious encrypted
  message.  The attack takes place when the victim attempts to decrypt
  this message.

  From the original advisory disclosing the bug:

    "The problem code lies in util/ttyio.c in the 'do_get' function.
     There is a call to a function called 'tty_printf' (which eventually
     results in a vfprintf call) without a constant format string:

      >     tty_printf( prompt );

     If gpg attempts to decrypt a file whose filename does not end in
     '.gpg', that filename (minus the extension) is copied to the prompt
     string, allowing a user-suppliable format string."

  An exploit does exist and all users are urged to upgrade to the latest
  version (1.0.6) immediately.

  All users should upgrade to the most recent version, as outlined in
  this advisory.  All updates can be found at:


  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv <filename>


  Source Packages:

      MD5 Sum:  1f8f3ab71d5b4c271f4dd1b246b0e191

  Binary Packages:

      MD5 Sum:  62558d3d186cc6724ace14fab4b119e9

      MD5 Sum:  74feaca3f74deda14d78b04daa9b0319


  Guardian Digital's public key:

  Credit for the discovery of this bug goes to:
    fish stiqz 

  gnupg's Official Web Site:

  The original advisory disclosing the vulnerability:

Author: Ryan W. Maple,  
Copyright 2001, Guardian Digital, Inc.