|
GnuPG "make_printable_string()" Buffer Overflow Vulnerability
|
|
|
|
|
Secunia Advisory:
|
SA23094
|
|
|
Release Date:
|
2006-11-28
|
|
Last Update:
|
2006-12-01
|
|
|
Critical:
|

Moderately critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | GnuPG / gpg 1.0.x GnuPG / gpg 1.2.x GnuPG / gpg 1.3.x GnuPG / gpg 1.4.x GnuPG / gpg 2.x
|
| | CVE reference: | CVE-2006-6169 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product? - Companies can be alerted via email and SMS! |
|
|
Description: Hugh Warrington has reported a vulnerability in GnuPG, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the "ask_outfile_name()" function in openfile.c, because the "make_printable_string()" function can return a string longer than the expected "NAMELEN". This can be exploited to cause a buffer overflow by e.g. tricking a user into processing a specially crafted file using the interactive mode.
Successful exploitation may allow the execution of arbitrary code, but requires that the interactive mode is used. Applications using the batch mode (e.g. most e-mail clients) are not affected.
The vulnerability is reported in version 1.4.5 and 2.0.0. Other versions may also be affected.
Solution: Apply patch.
http://cvs.gnupg.org/cgi-bin/viewcvs....le.c?rev=4349&r1=4215&r2=4349
Provided and/or discovered by: Hugh Warrington
Changelog: 2006-12-01: Added CVE reference.
Original Advisory: http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
8 Related Secunia Security Advisories
|
|
|
1. GnuPG Duplicated IDs Memory Corruption
|
|
2. GnuPG OpenPGP Message Decryption Vulnerability
|
|
3. GnuPG "parse_comment" Denial of Service Vulnerability
|
|
4. GnuPG "parse-packet.c" Denial of Service Vulnerability
|
|
5. GnuPG Unsigned Data Injection Detection Vulnerability
|
|
6. GnuPG "gpgv" Signature Verification Security Issue
|
|
7. GnuPG HTTP Keyserver Protocol Interface Format String Vulnerability
|
|
8. GnuPG ElGamal Signing Weakness Expose Private Key
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|