GnuPG format string vulnerability in do_get() in ttyio.c while prompting for a new filename

Overview

There is a format string vulnerability in GNU Privacy Guard. By sending a GPG message with a carefully crafted malicious filename, an attacker may be able to execute arbitrary code as the user who decrypts the message.

Description

GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for Pretty Good Privacy (PGP).

A format string vulnerability occurs in the do_get() function in ttyio.c, where GnuPG calls tty_printf() with a user supplied format string. When GPG encounters a filename with an unknown suffix, and it is not in batch mode, it prompts the user for a new filename to write the decrypted results to. The default value (which is included in the prompt) is the existing filename. Note that the filename is embedded in the encrypted message itself, and that safe file names selected by the recipient is not sufficient to protect against this attack. If the filename embedded in the message contains printf style format characters, the message creator may be able to execute arbitrary code as the user who decrypts the message.

---

Impact

An attacker may be able to execute arbitrary code as the user decrypting the message.

---

Solution

Apply a patch from your vendor

GNU Privacy Guard version 1.0.6 corrects this problem. Many vendors have published security advisories and released updated distributions correcting the vulnerability.

---

Decrypt files in batch mode

Because the vulnerable code is not called when GnuPG is in batch mode, users may be able to work around the vulnerability by specifying --batch on the command line.

---

Vendor Information

403051

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Conectiva __ Affected

Updated: December 12, 2001

Status

Affected

Vendor Statement

Conectiva released an advisory and a fix in 2001-06-07:

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000399

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Debian __ Affected

Notified: December 10, 2001 Updated: December 11, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian has published a security advisory on this topic at:

<http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00064.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

FreeBSD __ Affected

Notified: December 10, 2001 Updated: December 11, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD has published a security advisory on this topic at:

<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:44.gnupg.asc&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Guardian Digital Inc. __ Affected

Updated: November 05, 2003

Status

Affected

Vendor Statement

EnGarde Secure Linux was vulnerable as outlined in our advisory ESA-20010530-01 (May 30, 2001):

``<http://www.linuxsecurity.com/advisories/other_advisory-1405.html>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Immunix __ Affected

Updated: December 10, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Immunix has published Immunix OS Security Advisory IMNX-2001-70-023-01 regarding this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

MandrakeSoft __ Affected

Notified: December 10, 2001 Updated: December 11, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published a security advisory on this topic at:

<http://www.mandrakesecure.net/en/advisories/2001/MDKSA-2001-053-1.php3?dis=8.1&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Red Hat Inc. __ Affected

Notified: December 10, 2001 Updated: December 11, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

RedHat has published a security advisory on this topic at:

<http://www.redhat.com/support/errata/RHSA-2001-073.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

SuSE Inc. __ Affected

Updated: December 10, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has published a security advisory on this topic at:

<http://lists.suse.com/archive/suse-security-announce/2001-Jun/0000.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

The SCO Group (SCO Linux) __ Affected

Notified: December 10, 2001 Updated: December 11, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera has published a security advisory on this topic at:

<http://www.caldera.com/support/security/advisories/CSSA-2001-020.1.txt&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Trustix __ Affected

Updated: December 10, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Trustix has published a security advisory on this topic at:

<http://www.trustix.org/pipermail/tsl-announce/2001-June/000011.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

TurboLinux __ Affected

Updated: November 05, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

TurboLinux has published a security advisory on this topic at:

<http://www.turbolinux.com/pipermail/tl-security-announce/2001-June/000439.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Fujitsu __ Not Affected

Notified: December 10, 2001 Updated: November 05, 2003

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V operating system is not affected by the GnuPG format string vulnerability because it does not support the GnuPG package.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

OpenBSD __ Not Affected

Notified: December 10, 2001 Updated: November 05, 2003

Status

Not Affected

Vendor Statement

we do not ship gnupg.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Apple Computer Inc. Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

BSDI Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Compaq Computer Corporation Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Data General Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Hewlett-Packard Company Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

IBM Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

NETBSD Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

NEXT Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

SGI Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Sequent Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Siemens Nixdorf Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Sony Corporation Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Sun Microsystems Inc. Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

The SCO Group (SCO UnixWare) Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

Unisys Unknown

Notified: December 10, 2001 Updated: December 11, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23403051 Feedback>).

View all 28 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.gnupg.org/whatsnew.html#rn20010529&gt;
• <http://www.securityfocus.com/bid/2797&gt;
• <http://www.securityfocus.com/archive/1/187352&gt;
• <http://www.i.cz/en/onas/tisk4.html&gt;
• <http://linuxtoday.com/news_story.php3?ltsn=2001-05-30-015-20-SC-PD&gt;
• <http://www.redhat.com/support/errata/RHSA-2001-073.html&gt;
• <http://lists.suse.com/archive/suse-security-announce/2001-Jun/0000.html&gt;
• <http://www.turbolinux.com/pipermail/tl-security-announce/2001-June/000439.html&gt;
• <http://www.mandrakesecure.net/en/advisories/2001/MDKSA-2001-053-1.php3?dis=8.1&gt;
• <http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00064.html&gt;
• <http://www.caldera.com/support/security/advisories/CSSA-2001-020.1.txt&gt;
• <http://www.trustix.org/pipermail/tsl-announce/2001-June/000011.html&gt;
• <http://xforce.iss.net/static/6642.php&gt;

Acknowledgements

Thanks to Fish Stiqz for discovering this vulnerability.

This document was written by Cory F. Cohen.

Other Information

CVE IDs:	CVE-2001-0522
Severity Metric:	21.94 Date Public: