---

EnGarde Secure Linux Security Advisory: gnupg format string vulnerability

From: EnGarde Secure Linux <security@guardiandigital.com>
Subject: [ESA-20010530-01]  gnupg format string vulnerability
Date: Wed, 30 May 2001 14:54:59 -0400 (EDT)


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                    May 30, 2001 |
| http://www.engardelinux.org/                           ESA-20010530-01 |
|                                                                        |
| Package:  gnupg                                                        |
| Summary:  There is a format string vulnerability in the gnupg package. |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
--------
  There is a format string vulnerability in gnupg which can allow an
  attacker to exploit a victim by sending them a malicious encrypted
  message.  The attack takes place when the victim attempts to decrypt
  this message.


DETAIL
------
  From the original advisory disclosing the bug:

    "The problem code lies in util/ttyio.c in the 'do_get' function.
     There is a call to a function called 'tty_printf' (which eventually
     results in a vfprintf call) without a constant format string:

      >     tty_printf( prompt );

     If gpg attempts to decrypt a file whose filename does not end in
     '.gpg', that filename (minus the extension) is copied to the prompt
     string, allowing a user-suppliable format string."

  An exploit does exist and all users are urged to upgrade to the latest
  version (1.0.6) immediately.


SOLUTION
--------
  All users should upgrade to the most recent version, as outlined in
  this advisory.  All updates can be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv <filename>


UPDATED PACKAGES
----------------

  Source Packages:

    SRPMS/gnupg-1.0.6-1.0.3.src.rpm
      MD5 Sum:  1f8f3ab71d5b4c271f4dd1b246b0e191

  Binary Packages:

    i386/gnupg-1.0.6-1.0.3.i386.rpm
      MD5 Sum:  62558d3d186cc6724ace14fab4b119e9

    i686/gnupg-1.0.6-1.0.3.i686.rpm
      MD5 Sum:  74feaca3f74deda14d78b04daa9b0319


REFERENCES
----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    fish stiqz 

  gnupg's Official Web Site:
    http://www.gnupg.org/

  The original advisory disclosing the vulnerability:
    http://www.linuxsecurity.com/articles/cryptography_article-3083.html

Author: Ryan W. Maple,  
Copyright 2001, Guardian Digital, Inc.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis