[LWN Logo]
[LWN.net]
From:	 EnGarde Secure Linux <security@guardiandigital.com>
To:	 engarde-security@guardiandigital.com
Subject: [ESA-20010530-01]  gnupg format string vulnerability
Date:	 Wed, 30 May 2001 14:54:59 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                    May 30, 2001 |
| http://www.engardelinux.org/                           ESA-20010530-01 |
|                                                                        |
| Package:  gnupg                                                        |
| Summary:  There is a format string vulnerability in the gnupg package. |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There is a format string vulnerability in gnupg which can allow an
  attacker to exploit a victim by sending them a malicious encrypted
  message.  The attack takes place when the victim attempts to decrypt
  this message.


DETAIL
- ------
  From the original advisory disclosing the bug:

    "The problem code lies in util/ttyio.c in the 'do_get' function.
     There is a call to a function called 'tty_printf' (which eventually
     results in a vfprintf call) without a constant format string:

      >     tty_printf( prompt );

     If gpg attempts to decrypt a file whose filename does not end in
     '.gpg', that filename (minus the extension) is copied to the prompt
     string, allowing a user-suppliable format string."

  An exploit does exist and all users are urged to upgrade to the latest
  version (1.0.6) immediately.


SOLUTION
- --------
  All users should upgrade to the most recent version, as outlined in
  this advisory.  All updates can be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv <filename>


UPDATED PACKAGES
- ----------------

  Source Packages:

    SRPMS/gnupg-1.0.6-1.0.3.src.rpm
      MD5 Sum:  1f8f3ab71d5b4c271f4dd1b246b0e191

  Binary Packages:

    i386/gnupg-1.0.6-1.0.3.i386.rpm
      MD5 Sum:  62558d3d186cc6724ace14fab4b119e9

    i686/gnupg-1.0.6-1.0.3.i686.rpm
      MD5 Sum:  74feaca3f74deda14d78b04daa9b0319


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    fish stiqz <fish@analog.org>

  gnupg's Official Web Site:
    http://www.gnupg.org/

  The original advisory disclosing the vulnerability:
    http://www.linuxsecurity.com/articles/cryptography_article-3083.html


- ----------------------------------------------------------------------------
$Id: ESA-20010530-01-gnupg,v 1.2 2001/05/30 18:53:52 rwm Exp $
- ----------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7FUIJHD5cqd57fu0RArXTAJ97pTmqeqiQZMvCXuKULmJ1hqL9NwCfVc8g
SYBX/1Q5QjSD+BcCRihNHCE=
=8blE
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
     To unsubscribe email engarde-security-request@engardelinux.org
         with "unsubscribe" in the subject of the message.

Copyright(c) 2001 Guardian Digital, Inc.                EnGardeLinux.org
------------------------------------------------------------------------