Gentoo: app-crypt/gnupg Multiple vulnerabilities
Summary
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200312-05 - --------------------------------------------------------------------------
GLSA: 200312-05 Package: app-crypt/gnupg Summary: GnuPG ElGamal signing keys compromised and format string vulnerability Severity: minimal Gentoo bug: 34504, 35639 Date: 2003-12-12 CVE: CAN-2003-0971, CAN-2003-0978 Exploit: unknown Affected: <=1.2.3-r4 fixed:>=1.2.3-r5
DESCRIPTION:
Two flaws have been found in GnuPG 1.2.3.
First, ElGamal signing keys can be compromised. These keys are not commonly used. Quote from <http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>:
"Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Second, there is a format string flaw in the 'gpgkeys_hkp' utility which "would allow a malicious keyserver in the worst case to execute an arbitrary code on the user's machine." See <; for details.
SOLUTION:
All users who have created ElGamal signing keys should immediately revoke them. Then, all Gentoo Linux machines with gnupg installed should be updated to use gnupg-1.2.3-r5 or higher.
emerge sync emerge -pv '>=app-crypt/gnupg-1.2.3-r5' emerge '>=app-crypt/gnupg-1.2.3-r5' emerge clean
// end
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/2XUCnt0v0zAqOHYRAlrEAJwNpCuOGrcBcjKnC/c/F3AOxsTX3gCfU9ah 0gaONEybmmq0x4/vJheoXwg=F5DR -----END PGP SIGNATURE-----
=1.2.3-r4