Linux Today: Linux News On Internet Time.

Trustix Secure Linux Security Advisory: GnuPG

Jun 01, 2001, 18:34 (0 Talkback[s])
From: Trustix Secure Linux Advisor <tsl@trustix.com>
Subject: TSLSA-2001-0009 - GnuPG
Date: Fri, 1 Jun 2001 11:18:16 +0200

Trustix Secure Linux Security Advisory #2001-0009

Package name:      GnuPG
Severity:          Remote arbitrary code execution vulnerability
Date:              2001-06-01
Affected versions: TSL 1.01, 1.1, 1.2


Problem description:

  Hidden deep within its code is a format string vulnerability which can be 
  triggered simply by attempting to decrypt a file with a specially crafted 
  filename. This vulnerability can allow a malicious user to gain 
  unathorized access to the account which attempted the decryption. 

  We recommend that all systems with this package installed are upgraded.

  All TSL updates are available from

Automatic updates:
  Users of the SWUP tool, can enjoy having updates automatically
  installed using 'swup --upgrade'.
  Note that kernel packages are not normally fit to be upgraded this way
  and therefore excluded in the default configuration.

  Get SWUP from:

  Check out our mailing lists:

  This advisory along with all TSL packages are signed with the TSL sign key.
  This key available from:

  The advisory itself is available from the errata page at
  or directly at

MD5sums of the packages:
87f660776fcf0de42aa075342a8fb6d6  ./1.2/SRPMS/gnupg-1.0.6-1tr.src.rpm
00ac255898db5e97baba2fe4083cdb78  ./1.2/RPMS/gnupg-1.0.6-1tr.i586.rpm
87f660776fcf0de42aa075342a8fb6d6  ./1.1/SRPMS/gnupg-1.0.6-1tr.src.rpm
6dd900b24b7658608d19a6a1c8500b5d  ./1.1/RPMS/gnupg-1.0.6-1tr.i586.rpm

Trustix Security Team
Trustix Secure Linux Advisor
Homepage:           http://www.trustix.net/
Errata:             http://www.trustix.net/errata/
Automatic updates:  http://www.trustix.net/pub/Trustix/software/swup/