Debian Security Advisory: multiple gnupg problems

Subject: [SECURITY] [DSA-061-1] multiple gnupg problems
Date:     Sat, 16 Jun 2001 19:57:08 +0200
From:     Wichert Akkerman <wichert@cistron.nl>

- ------------------------------------------------------------------------
Debian Security Advisory DSA-061-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
June 16, 2001
- ------------------------------------------------------------------------


Package        : gnupg
Problem type   : printf format attack
                 web of trust pollution
Debian-specific: no

The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation)
as distributed in Debian GNU/Linux 2.2 suffers from two problems:

fish stiqz reported on bugtraq that there was a printf format
problem in the do_get() function: it printed a prompt which included
the filename that was being decrypted without checking for
possible printf format attacks. This could be exploited by tricking
someone into decrypting a file with a specially crafted filename.

The second bug is related to importing secret keys: when gnupg
imported a secret key it would immediately make the associated
public key fully trusted which changes your web of trust without
asking for a confirmation. To fix this you now need a special
option to import a secret key.

Both problems have been fixed in version 1.0.6-0potato1.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:
    http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6-0potato1.diff.gz
      MD5 checksum: 4928a4a589c11cadea852347d23edf5a
    http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6-0potato1.dsc
      MD5 checksum: e6057febed9106dfc9f77fb61fbd0ca4
    http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6.orig.tar.gz
      MD5 checksum: 7c319a9e5e70ad9bc3bf0d7b5008a508

  Alpha architecture:
    
http://security.debian.org/dists/stable/updates/main/binary-alpha/gnupg_1.0.6-0potato1_alpha.deb
      MD5 checksum: 76c3f586b91bba1c69a6fb6ea93a2fbd

  ARM architecture:
    
http://security.debian.org/dists/stable/updates/main/binary-arm/gnupg_1.0.6-0potato1_arm.deb
      MD5 checksum: 84a47897a38f44b07180e9a9ec16ab49

  Intel IA-32 architecture:
    
http://security.debian.org/dists/stable/updates/main/binary-i386/gnupg_1.0.6-0potato1_i386.deb
      MD5 checksum: d3a91ccc9d1c951b80afe17e59190db3

  Motorola 680x0 architecture:
    
http://security.debian.org/dists/stable/updates/main/binary-m68k/gnupg_1.0.6-0potato1_m68k.deb
      MD5 checksum: 6b12f23b3c3840574af826db147ed9cd

  PowerPC architecture:
    
http://security.debian.org/dists/stable/updates/main/binary-powerpc/gnupg_1.0.6-0potato1_powerpc.deb
      MD5 checksum: a5a9bffdce2abf112c2058097f48f784

  Sun Sparc architecture:
    
http://security.debian.org/dists/stable/updates/main/binary-sparc/gnupg_1.0.6-0potato1_sparc.deb
      MD5 checksum: 487c0d605ff5b3fdce2212d4e9c07bf0

  These packages will be moved into the stable distribution on its next
  revision.



For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- -- 
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org