(Gentoo Issues Fix) GnuPG 'gpgkeys_hkp' Format String Flaw Lets Remote Keyservers Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008462 |
|
SecurityTracker URL: http://securitytracker.com/id/1008462
|
|
CVE Reference:
CAN-2003-0978
(Links to External Site)
|
Date: Dec 12 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.2.3, 1.3.3
|
Description:
A format string vulnerability was reported in GnuPG in the experimental 'gpgkeys_hkp' utility. A malicious keyserver can execute arbitrary code on the target user's system.
S-Quadra reported that when the external HKP interface is enabled, the get_key() function in 'keyserver/gpgkeys_hkp.c' makes a fprintf() call based on user-supplied input without providing a format specifier or validating the user-supplied input. A malicious keyserver can return specially crafted information to potentially execute arbitrary code.
The report indicates that this HKP interface is not enabled by default in the 1.2 stable branch, but is enabled by default on the 1.3 development branch.
The vendor was reportedly notified on 27 November 2003.
|
Impact:
A remote keyserver can execute arbitrary code on a target user's system.
|
Solution:
Gentoo has released a fix and recommends that all Gentoo Linux users with gnupg installed update to gnupg-1.2.3-r5 or higher:
emerge sync
emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
emerge '>=app-crypt/gnupg-1.2.3-r5'
emerge clean
|
Vendor URL: www.gnupg.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Gentoo)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 12 Dec 2003 03:10:13 -0500
Subject: [gentoo-announce] GLSA: gnupg (200312-05)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-05
- --------------------------------------------------------------------------
GLSA: 200312-05
Package: app-crypt/gnupg
Summary: GnuPG ElGamal signing keys compromised and
format string vulnerability
Severity: minimal
Gentoo bug: 34504, 35639
Date: 2003-12-12
CVE: CAN-2003-0971, CAN-2003-0978
Exploit: unknown
Affected: <=1.2.3-r4
Fixed: >=1.2.3-r5
DESCRIPTION:
Two flaws have been found in GnuPG 1.2.3.
First, ElGamal signing keys can be compromised. These keys are not
commonly used. Quote from
<http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>:
"Phong Nguyen identified a severe bug in the way GnuPG creates and
uses ElGamal keys for signing. This is a significant security
failure which can lead to a compromise of almost all ElGamal keys
used for signing. Note that this is a real world vulnerability
which will reveal your private key within a few seconds."
Second, there is a format string flaw in the 'gpgkeys_hkp' utility
which "would allow a malicious keyserver in the worst case to execute
an arbitrary code on the user's machine." See
<http://www.s-quadra.com/advisories/Adv-20031203.txt> for
details.
SOLUTION:
All users who have created ElGamal signing keys should immediately
revoke them. Then, all Gentoo Linux machines with gnupg installed
should be updated to use gnupg-1.2.3-r5 or higher.
emerge sync
emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
emerge '>=app-crypt/gnupg-1.2.3-r5'
emerge clean
// end
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/2XUCnt0v0zAqOHYRAlrEAJwNpCuOGrcBcjKnC/c/F3AOxsTX3gCfU9ah
0gaONEybmmq0x4/vJheoXwg=
=F5DR
-----END PGP SIGNATURE-----
|
|
