Progeny Security Advisory: gnupg format string vulnerability

From: Progeny Security Team <security@progeny.com>
Subject: PROGENY-SA-2001-16: gnupg format string vulnerability
Date: Wed, 30 May 2001 17:11:19 -0500 (EST)


 ---------------------------------------------------------------------------
 PROGENY SERVICE NETWORK -- SECURITY ADVISORY             PROGENY-SA-2001-16
 ---------------------------------------------------------------------------

    Synopsis:       gnupg format string vulnerability

    Software:       gnupg

    History:
         2001-05-29 Vulnerability announced
         2001-05-29 Vendor patch/fix available
         2001-05-30 Update available in Progeny archive

    Credits:        fish stiqz <fish@synnergy.net>

    Affects:        Progeny Debian (gnupg prior to 1.0.4-2progeny1)

    Progeny Only:   NO

    Vendor-Status:  New Version Released
                    (gnupg_1.0.4-2progeny1)


    $Progeny: security/advisory/PROGENY-SA-2001-16,v 1.1 2001/05/30 22:04:10 jdaily Exp $

 ---------------------------------------------------------------------------


SUMMARY

Gnu Privacy Guard (GnuPG, aka GPG) is an encryption program that
provides functionality similar to PGP. It contains a format string
vulnerability that can be used to invoke shell commands with
the currently logged-on user's privileges.



DETAILED DESCRIPTION 

One indirect invocation of vfprintf neglects to pass "%s" as the first
argument, allowing a filename to include format strings and with
careful planning invoke arbitrary shell code.

Note that the name of the file to be decrypted is irrelevant; what
matters is the filename that was originally encrypted.

In practice, this would be difficult to exploit reliably, but sample
code for Linux has been published to Bugtraq that provides a remote
shell.


SOLUTION (See also: UPDATING VIA APT-GET)

Upgrade to a fixed version of gnupg. gnupg version 1.0.4-2progeny1
corrects the problem. For your convenience, you may upgrade to the
gnupg_1.0.4-2progeny1 package.


UPDATING VIA APT-GET

 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
    update repository:

        deb http://archive.progeny.com/progeny updates/newton/

 2. Update your cache of available packages for apt(8).

    Example:

        # apt-get update

 3. Using apt(8), install the new package. apt(8) will download the
    update, verify its integrity with md5, and then install the
    package on your system with dpkg(8).

    Example:

        # apt-get install gnupg


UPDATING VIA DPKG

 1. Use your preferred FTP/HTTP client to retrieve the following 
    updated files from Progeny's update archive at:

    http://archive.progeny.com/progeny/updates/newton/

    MD5 Checksum                     Filename                             
    -------------------------------- ------------------------------------- 
    ede2df0c58899edce9e654c6f28a3edb gnupg_1.0.4-2progeny1_i386.deb/

    Example:

        $ wget 
        http://archive.progeny.com/progeny/updates/newton/gnupg_1.0.4-2progeny1_i386.deb

 2. Use the md5sum(1) command on the retrieved files to verify that
    they match the MD5 checksum provided in this advisory:

    Example:

        $ md5sum gnupg_1.0.4-2progeny1_i386.deb

 3. Then install the replacement package(s) using dpkg(8).

    Example:

        # dpkg --install gnupg_1.0.4-2progeny1_i386.deb


WORKAROUND

No known workaround exists for this vulnerability.


MORE INFORMATION

The GnuPG homepage is located at http://www.gnupg.org/

The original post to Bugtraq with full details can be found at
http://archives.indenial.com/hypermail/bugtraq/2001/May2001/0275.html.

Progeny advisories can be found at http://www.progeny.com/security/.


 ---------------------------------------------------------------------------

pub  1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>