Debian 2.2: DSA-061-1 Moderate: GnuPG Format Attack & Trust Issue
debian
June 18, 2001
A printf format string attack and "web of trust" pollution vulnerabilities have been fixed.
Topics Covered
Summary
Package : gnupg
Problem type : printf format attack
web of trust pollution
Debian-specific: no
The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation)
as distributed in Debian GNU/Linux 2.2 suffers from two problems:
fish stiqz reported on bugtraq that there was a printf format
problem in the do_get() function: it printed a prompt which included
the filename that was being decrypted without checking for
possible printf format attacks. This could be exploited by tricking
someone into decrypting a file with a specially crafted filename.
The second bug is related to importing secret keys: when gnupg
imported a secret key it would immediately make the associated
public key fully trusted which changes your web of trust without
asking for a confirmation. To fix this you now need a special
option to import a secret key.
Both problems have been fixed in version 1.0.6-0potato1.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced...
PREVIOUS
NEXT
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!