From: EnGarde Secure Linux <security@guardiandigital.com>
Subject: [ESA-20010530-01] gnupg format string vulnerability
Date: Wed, 30 May 2001 14:54:59 -0400 (EDT)
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory May 30, 2001 |
| http://www.engardelinux.org/ ESA-20010530-01 |
| |
| Package: gnupg |
| Summary: There is a format string vulnerability in the gnupg package. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
--------
There is a format string vulnerability in gnupg which can allow an
attacker to exploit a victim by sending them a malicious encrypted
message. The attack takes place when the victim attempts to decrypt
this message.
DETAIL
------
From the original advisory disclosing the bug:
"The problem code lies in util/ttyio.c in the 'do_get' function.
There is a call to a function called 'tty_printf' (which eventually
results in a vfprintf call) without a constant format string:
> tty_printf( prompt );
If gpg attempts to decrypt a file whose filename does not end in
'.gpg', that filename (minus the extension) is copied to the prompt
string, allowing a user-suppliable format string."
An exploit does exist and all users are urged to upgrade to the latest
version (1.0.6) immediately.
SOLUTION
--------
All users should upgrade to the most recent version, as outlined in
this advisory. All updates can be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
----------------
Source Packages:
SRPMS/gnupg-1.0.6-1.0.3.src.rpm
MD5 Sum: 1f8f3ab71d5b4c271f4dd1b246b0e191
Binary Packages:
i386/gnupg-1.0.6-1.0.3.i386.rpm
MD5 Sum: 62558d3d186cc6724ace14fab4b119e9
i686/gnupg-1.0.6-1.0.3.i686.rpm
MD5 Sum: 74feaca3f74deda14d78b04daa9b0319
REFERENCES
----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
fish stiqz
gnupg's Official Web Site:
http://www.gnupg.org/
The original advisory disclosing the vulnerability:
http://www.linuxsecurity.com/articles/cryptography_article-3083.html
Author: Ryan W. Maple,
Copyright 2001, Guardian Digital, Inc.
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts