Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 528
Alerts This Week
Warning Icon 1 528

Debian 2.2: DSA-061-1 Moderate: GnuPG Format Attack & Trust Issue

debian
Calendar Grey June 18, 2001
Debian Logo
The software package GnuPG on Debian has resolved two critical security issues, including a format string vulnerability and a weakness in trust management mechanisms.
A printf format string attack and "web of trust" pollution vulnerabilities have been fixed.

Summary

Package : gnupg
Problem type : printf format attack
web of trust pollution
Debian-specific: no

The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation)
as distributed in Debian GNU/Linux 2.2 suffers from two problems:

fish stiqz reported on bugtraq that there was a printf format
problem in the do_get() function: it printed a prompt which included
the filename that was being decrypted without checking for
possible printf format attacks. This could be exploited by tricking
someone into decrypting a file with a specially crafted filename.

The second bug is related to importing secret keys: when gnupg
imported a secret key it would immediately make the associated
public key fully trusted which changes your web of trust without
asking for a confirmation. To fix this you now need a special
option to import a secret key.

Both problems have been fixed in version 1.0.6-0potato1.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced...

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.