Debian: New gnupg packages fix arbitrary code execution

    Date 08 Dec 2006
    2878
    Posted By LinuxSecurity Advisories
    Updated package.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 1231-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                         Moritz Muehlenhoff
    December 9th, 2006                      https://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : gnupg
    Vulnerability  : several
    Problem-Type   : local(remote)
    Debian-specific: no
    CVE ID         : CVE-2006-6169 CVE-2006-6235
    Debian Bug     : 401894 401898 401914
    
    Several remote vulnerabilities have been discovered in the GNU privacy,
    a free PGP replacement, which may lead to the execution of arbitrary code.
    The Common Vulnerabilities and Exposures project identifies the following
    problems:
    
    CVE-2006-6169
    
        Werner Koch discovered that a buffer overflow in a sanitising function
        may lead to execution of arbitrary code when running gnupg
        interactively.
    
    CVE-2006-6235
    
        Tavis Ormandy discovered that parsing a carefully crafted OpenPGP
        packet may lead to the execution of arbitrary code, as a function
        pointer of an internal structure may be controlled through the
        decryption routines.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 1.4.1-1.sarge6.
    
    For the upcoming stable distribution (etch) these problems have been
    fixed in version 1.4.6-1.
    
    For the unstable distribution (sid) these problems have been fixed in
    version 1.4.6-1.
    
    We recommend that you upgrade your gnupg packages.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.1 alias sarge
    - --------------------------------
    
      Source archives:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6.dsc
          Size/MD5 checksum:      680 f99d9936fdb3d87b37f719d4f507702a
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6.diff.gz
          Size/MD5 checksum:    22889 219b13435d4594c530614638590b65d3
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1.orig.tar.gz
          Size/MD5 checksum:  4059170 1cc77c6943baaa711222e954bbd785e5
    
      Alpha architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_alpha.deb
          Size/MD5 checksum:  2156230 950520b2391eb6444593c66a8e96d6c3
    
      AMD64 architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_amd64.deb
          Size/MD5 checksum:  1963738 589ab9ab433e000e919a38f558f54f5e
    
      ARM architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_arm.deb
          Size/MD5 checksum:  1899822 158ed8fe21da9e2b8c730b3b2acce9a8
    
      HP Precision architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_hppa.deb
          Size/MD5 checksum:  2004374 9daff80c38cf65bb299fb5ee370d44d6
    
      Intel IA-32 architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_i386.deb
          Size/MD5 checksum:  1909194 8752d3578b55a7fd1535bba18ca0770c
    
      Intel IA-64 architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_ia64.deb
          Size/MD5 checksum:  2325806 38fa7bb8def3d1a296aa6aa3432561a3
    
      Motorola 680x0 architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_m68k.deb
          Size/MD5 checksum:  1811222 f51182d8badb7c2b0ef42b78c71be16d
    
      Big endian MIPS architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_mips.deb
          Size/MD5 checksum:  2001184 cc087abacd572bed64a2ab191d863946
    
      Little endian MIPS architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_mipsel.deb
          Size/MD5 checksum:  2007888 c42342dd898361ed9fcee1bdc8edc3e2
    
      PowerPC architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_powerpc.deb
          Size/MD5 checksum:  1958036 ff8ee1d008561ce87732847e895024ec
    
      IBM S/390 architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_s390.deb
          Size/MD5 checksum:  1967406 693212d3c1b12bf7f6f204daa0531f6a
    
      Sun Sparc architecture:
    
        https://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge6_sparc.deb
          Size/MD5 checksum:  1897740 3821e5e9e69241324d781fe78ed1ace7
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb https://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/32-how-do-you-feel-about-the-elimination-of-the-terms-blacklist-and-slave-from-the-linux-kernel?task=poll.vote&format=json
    32
    radio
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"7","type":"x","order":"1","pct":20,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"4","type":"x","order":"2","pct":11.43,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"24","type":"x","order":"3","pct":68.57,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.