GnuPG format string vulnerability in do_get() in ttyio.c while prompting for a new filename

2001-12-10T00:00:00
ID VU:403051
Type cert
Reporter CERT
Modified 2003-11-05T21:29:00

Description

Overview

There is a format string vulnerability in GNU Privacy Guard. By sending a GPG message with a carefully crafted malicious filename, an attacker may be able to execute arbitrary code as the user who decrypts the message.

Description

GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for Pretty Good Privacy (PGP).

A format string vulnerability occurs in the do_get() function in ttyio.c, where GnuPG calls tty_printf() with a user supplied format string. When GPG encounters a filename with an unknown suffix, and it is not in batch mode, it prompts the user for a new filename to write the decrypted results to. The default value (which is included in the prompt) is the existing filename. Note that the filename is embedded in the encrypted message itself, and that safe file names selected by the recipient is not sufficient to protect against this attack. If the filename embedded in the message contains printf style format characters, the message creator may be able to execute arbitrary code as the user who decrypts the message.


Impact

An attacker may be able to execute arbitrary code as the user decrypting the message.


Solution

Apply a patch from your vendor

GNU Privacy Guard version 1.0.6 corrects this problem. Many vendors have published security advisories and released updated distributions correcting the vulnerability.


Decrypt files in batch mode

Because the vulnerable code is not called when GnuPG is in batch mode, users may be able to work around the vulnerability by specifying --batch on the command line.


Vendor Information

403051

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

Conectiva

Updated: December 12, 2001

Status

__ Vulnerable

Vendor Statement

Conectiva released an advisory and a fix in 2001-06-07:

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000399

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Debian

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian has published a security advisory on this topic at:

<http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00064.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ FreeBSD

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD has published a security advisory on this topic at:

<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:44.gnupg.asc>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Updated: November 05, 2003

Status

__ Vulnerable

Vendor Statement

EnGarde Secure Linux was vulnerable as outlined in our advisory ESA-20010530-01 (May 30, 2001):

``&lt;http://www.linuxsecurity.com/advisories/other_advisory-1405.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Immunix

Updated: December 10, 2001

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Immunix has published Immunix OS Security Advisory IMNX-2001-70-023-01 regarding this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ MandrakeSoft

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published a security advisory on this topic at:

<http://www.mandrakesecure.net/en/advisories/2001/MDKSA-2001-053-1.php3?dis=8.1>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Red Hat Inc.

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

RedHat has published a security advisory on this topic at:

<http://www.redhat.com/support/errata/RHSA-2001-073.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ SuSE Inc.

Updated: December 10, 2001

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has published a security advisory on this topic at:

<http://lists.suse.com/archive/suse-security-announce/2001-Jun/0000.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ The SCO Group (SCO Linux)

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera has published a security advisory on this topic at:

<http://www.caldera.com/support/security/advisories/CSSA-2001-020.1.txt>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Trustix

Updated: December 10, 2001

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Trustix has published a security advisory on this topic at:

<http://www.trustix.org/pipermail/tsl-announce/2001-June/000011.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ TurboLinux

Updated: November 05, 2003

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

TurboLinux has published a security advisory on this topic at:

<http://www.turbolinux.com/pipermail/tl-security-announce/2001-June/000439.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified: December 10, 2001 Updated: November 05, 2003

Status

__ Not Vulnerable

Vendor Statement

Fujitsu's UXP/V operating system is not affected by the GnuPG format string vulnerability because it does not support the GnuPG package.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified: December 10, 2001 Updated: November 05, 2003

Status

__ Not Vulnerable

Vendor Statement

we do not ship gnupg.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Apple Computer Inc.

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ BSDI

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Compaq Computer Corporation

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Data General

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Hewlett-Packard Company

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ IBM

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ NETBSD

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ NEXT

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ SGI

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Sequent

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Siemens Nixdorf

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Sony Corporation

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Sun Microsystems Inc.

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ The SCO Group (SCO UnixWare)

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Unisys

Notified: December 10, 2001 Updated: December 11, 2001

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.gnupg.org/whatsnew.html#rn20010529>
  • <http://www.securityfocus.com/bid/2797>
  • <http://www.securityfocus.com/archive/1/187352>
  • <http://www.i.cz/en/onas/tisk4.html>
  • <http://linuxtoday.com/news_story.php3?ltsn=2001-05-30-015-20-SC-PD>
  • <http://www.redhat.com/support/errata/RHSA-2001-073.html>
  • <http://lists.suse.com/archive/suse-security-announce/2001-Jun/0000.html>
  • <http://www.turbolinux.com/pipermail/tl-security-announce/2001-June/000439.html>
  • <http://www.mandrakesecure.net/en/advisories/2001/MDKSA-2001-053-1.php3?dis=8.1>
  • <http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00064.html>
  • <http://www.caldera.com/support/security/advisories/CSSA-2001-020.1.txt>
  • <http://www.trustix.org/pipermail/tsl-announce/2001-June/000011.html>
  • <http://xforce.iss.net/static/6642.php>

Credit

Thanks to Fish Stiqz for discovering this vulnerability.

This document was written by Cory F. Cohen.

Other Information

CVE IDs: | CVE-2001-0522
---|---
Severity Metric:** | 21.94
Date Public:
| 2001-05-29
Date First Published: | 2001-12-10
Date Last Updated: | 2003-11-05 21:29 UTC
Document Revision: | 9