Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Gentoo: 200312-05 Minimal: GnuPG Key Compromise and Format String Issue

gentoo
Calendar Grey December 12, 2003
Dist Gentoo Esm H88
GnuPG version 1.2.3 has disclosed two critical flaws linked to key authenticity and string handling problems. Immediate action is necessary for all individuals utilizing the software.
Two flaws have been found in GnuPG 1.2.3 including a format string vulnerability and the compromise of ElGamal signing keys.

Summary


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200312-05 - --------------------------------------------------------------------------
GLSA: 200312-05 Package: app-crypt/gnupg Summary: GnuPG ElGamal signing keys compromised and format string vulnerability Severity: minimal Gentoo bug: 34504, 35639 Date: 2003-12-12 CVE: CAN-2003-0971, CAN-2003-0978 Exploit: unknown Affected: <=1.2.3-r4 fixed:>=1.2.3-r5

DESCRIPTION:
Two flaws have been found in GnuPG 1.2.3.
First, ElGamal signing keys can be compromised. These keys are not commonly used. Quote from <http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>:
"Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all E...

Read the Full Advisory

Resolution

References

Availability

style>.gentoo_availability{display:block;}

Concerns

Synopsis

Background

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

Impact

Workaround