![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Wichert Akkerman <wichert@cistron.nl>
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA-061-1] multiple gnupg problems
Date: Sat, 16 Jun 2001 19:57:08 +0200
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------
Debian Security Advisory DSA-061-1 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
June 16, 2001
- ------------------------------------------------------------------------
Package : gnupg
Problem type : printf format attack
web of trust pollution
Debian-specific: no
The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation)
as distributed in Debian GNU/Linux 2.2 suffers from two problems:
fish stiqz reported on bugtraq that there was a printf format
problem in the do_get() function: it printed a prompt which included
the filename that was being decrypted without checking for
possible printf format attacks. This could be exploited by tricking
someone into decrypting a file with a specially crafted filename.
The second bug is related to importing secret keys: when gnupg
imported a secret key it would immediately make the associated
public key fully trusted which changes your web of trust without
asking for a confirmation. To fix this you now need a special
option to import a secret key.
Both problems have been fixed in version 1.0.6-0potato1.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.2 alias potato
- ---------------------------------
Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
Source archives:
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6-0potato1.diff.gz
MD5 checksum: 4928a4a589c11cadea852347d23edf5a
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6-0potato1.dsc
MD5 checksum: e6057febed9106dfc9f77fb61fbd0ca4
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6.orig.tar.gz
MD5 checksum: 7c319a9e5e70ad9bc3bf0d7b5008a508
Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/gnupg_1.0.6-0potato1_alpha.deb
MD5 checksum: 76c3f586b91bba1c69a6fb6ea93a2fbd
ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/gnupg_1.0.6-0potato1_arm.deb
MD5 checksum: 84a47897a38f44b07180e9a9ec16ab49
Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/gnupg_1.0.6-0potato1_i386.deb
MD5 checksum: d3a91ccc9d1c951b80afe17e59190db3
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/gnupg_1.0.6-0potato1_m68k.deb
MD5 checksum: 6b12f23b3c3840574af826db147ed9cd
PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/gnupg_1.0.6-0potato1_powerpc.deb
MD5 checksum: a5a9bffdce2abf112c2058097f48f784
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/gnupg_1.0.6-0potato1_sparc.deb
MD5 checksum: 487c0d605ff5b3fdce2212d4e9c07bf0
These packages will be moved into the stable distribution on its next
revision.
For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
- --
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQB1AwUBOyud7KjZR/ntlUftAQGn2AL9EYSvg7znskCLx5eY/mOjz3QQnDSEFXlj
V8GSUZaSVpm5kNcb19pZIgfJEZe60CQIDesdnb8M7YaKyT65sFha+8yJvaVWsy+H
5Mp/lBEW8B3qvNYtScF6/XoXKpymOD2E
=918n
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org