![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: EnGarde Secure Linux <security@guardiandigital.com>
To: engarde-security@guardiandigital.com
Subject: [ESA-20010530-01] gnupg format string vulnerability
Date: Wed, 30 May 2001 14:54:59 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory May 30, 2001 |
| http://www.engardelinux.org/ ESA-20010530-01 |
| |
| Package: gnupg |
| Summary: There is a format string vulnerability in the gnupg package. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There is a format string vulnerability in gnupg which can allow an
attacker to exploit a victim by sending them a malicious encrypted
message. The attack takes place when the victim attempts to decrypt
this message.
DETAIL
- ------
From the original advisory disclosing the bug:
"The problem code lies in util/ttyio.c in the 'do_get' function.
There is a call to a function called 'tty_printf' (which eventually
results in a vfprintf call) without a constant format string:
> tty_printf( prompt );
If gpg attempts to decrypt a file whose filename does not end in
'.gpg', that filename (minus the extension) is copied to the prompt
string, allowing a user-suppliable format string."
An exploit does exist and all users are urged to upgrade to the latest
version (1.0.6) immediately.
SOLUTION
- --------
All users should upgrade to the most recent version, as outlined in
this advisory. All updates can be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
- ----------------
Source Packages:
SRPMS/gnupg-1.0.6-1.0.3.src.rpm
MD5 Sum: 1f8f3ab71d5b4c271f4dd1b246b0e191
Binary Packages:
i386/gnupg-1.0.6-1.0.3.i386.rpm
MD5 Sum: 62558d3d186cc6724ace14fab4b119e9
i686/gnupg-1.0.6-1.0.3.i686.rpm
MD5 Sum: 74feaca3f74deda14d78b04daa9b0319
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
fish stiqz <fish@analog.org>
gnupg's Official Web Site:
http://www.gnupg.org/
The original advisory disclosing the vulnerability:
http://www.linuxsecurity.com/articles/cryptography_article-3083.html
- ----------------------------------------------------------------------------
$Id: ESA-20010530-01-gnupg,v 1.2 2001/05/30 18:53:52 rwm Exp $
- ----------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7FUIJHD5cqd57fu0RArXTAJ97pTmqeqiQZMvCXuKULmJ1hqL9NwCfVc8g
SYBX/1Q5QjSD+BcCRihNHCE=
=8blE
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe email engarde-security-request@engardelinux.org
with "unsubscribe" in the subject of the message.
Copyright(c) 2001 Guardian Digital, Inc. EnGardeLinux.org
------------------------------------------------------------------------