There is a format string vulnerability in GNU Privacy Guard. By sending a GPG message with a carefully crafted malicious filename, an attacker may be able to execute arbitrary code as the user who decrypts the message.
GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for Pretty Good Privacy (PGP).
A format string vulnerability occurs in the do_get() function in ttyio.c, where GnuPG calls tty_printf() with a user supplied format string. When GPG encounters a filename with an unknown suffix, and it is not in batch mode, it prompts the user for a new filename to write the decrypted results to. The default value (which is included in the prompt) is the existing filename. Note that the filename is embedded in the encrypted message itself, and that safe file names selected by the recipient is not sufficient to protect against this attack. If the filename embedded in the message contains printf style format characters, the message creator may be able to execute arbitrary code as the user who decrypts the message.
An attacker may be able to execute arbitrary code as the user decrypting the message.
Apply a patch from your vendor
GNU Privacy Guard version 1.0.6 corrects this problem. Many vendors have published security advisories and released updated distributions correcting the vulnerability.
Decrypt files in batch mode
Because the vulnerable code is not called when GnuPG is in batch mode, users may be able to work around the vulnerability by specifying --batch on the command line.
Vendor| Status| Date Notified| Date Updated
Conectiva| | -| 12 Dec 2001
Debian| | 10 Dec 2001| 11 Dec 2001
FreeBSD| | 10 Dec 2001| 11 Dec 2001
Guardian Digital Inc. | | -| 05 Nov 2003
Immunix| | -| 10 Dec 2001
MandrakeSoft| | 10 Dec 2001| 11 Dec 2001
Red Hat Inc.| | 10 Dec 2001| 11 Dec 2001
SuSE Inc.| | -| 10 Dec 2001
The SCO Group (SCO Linux)| | 10 Dec 2001| 11 Dec 2001
Trustix| | -| 10 Dec 2001
TurboLinux| | -| 05 Nov 2003
Fujitsu| | 10 Dec 2001| 05 Nov 2003
OpenBSD| | 10 Dec 2001| 05 Nov 2003
Apple Computer Inc.| | 10 Dec 2001| 11 Dec 2001
BSDI| | 10 Dec 2001| 11 Dec 2001
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to Fish Stiqz for discovering this vulnerability.
This document was written by Cory F. Cohen.