From: EnGarde Secure Linux <security@guardiandigital.com> Subject: [ESA-20010530-01] gnupg format string vulnerability Date: Wed, 30 May 2001 14:54:59 -0400 (EDT) +------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory May 30, 2001 | | http://www.engardelinux.org/ ESA-20010530-01 | | | | Package: gnupg | | Summary: There is a format string vulnerability in the gnupg package. | +------------------------------------------------------------------------+ EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools. OVERVIEW -------- There is a format string vulnerability in gnupg which can allow an attacker to exploit a victim by sending them a malicious encrypted message. The attack takes place when the victim attempts to decrypt this message. DETAIL ------ From the original advisory disclosing the bug: "The problem code lies in util/ttyio.c in the 'do_get' function. There is a call to a function called 'tty_printf' (which eventually results in a vfprintf call) without a constant format string: > tty_printf( prompt ); If gpg attempts to decrypt a file whose filename does not end in '.gpg', that filename (minus the extension) is copied to the prompt string, allowing a user-suppliable format string." An exploit does exist and all users are urged to upgrade to the latest version (1.0.6) immediately. SOLUTION -------- All users should upgrade to the most recent version, as outlined in this advisory. All updates can be found at: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ Before upgrading the package, the machine must either: a) be booted into a "standard" kernel; or b) have LIDS disabled. To disable LIDS, execute the command: # /sbin/lidsadm -S -- -LIDS_GLOBAL To install the updated package, execute the command: # rpm -Uvh <filename> To re-enable LIDS (if it was disabled), execute the command: # /sbin/lidsadm -S -- +LIDS_GLOBAL To verify the signature of the updated packages, execute the command: # rpm -Kv <filename> UPDATED PACKAGES ---------------- Source Packages: SRPMS/gnupg-1.0.6-1.0.3.src.rpm MD5 Sum: 1f8f3ab71d5b4c271f4dd1b246b0e191 Binary Packages: i386/gnupg-1.0.6-1.0.3.i386.rpm MD5 Sum: 62558d3d186cc6724ace14fab4b119e9 i686/gnupg-1.0.6-1.0.3.i686.rpm MD5 Sum: 74feaca3f74deda14d78b04daa9b0319 REFERENCES ---------- Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY Credit for the discovery of this bug goes to: fish stiqz gnupg's Official Web Site: http://www.gnupg.org/ The original advisory disclosing the vulnerability: http://www.linuxsecurity.com/articles/cryptography_article-3083.html Author: Ryan W. Maple, Copyright 2001, Guardian Digital, Inc.