GnuPG tty_printf() Format String

2001-05-29T19:58:00
ID OSVDB:1845
Type osvdb
Reporter Fish Stiqz(fish@synnergy.net)
Modified 2001-05-29T19:58:00

Description

Vulnerability Description

GnuPG contains a flaw that may allow a malicious user to execute arbitrary code in the context of a user decrypting a given file. The issue is triggered when the attacker sends the victim a GPG message with a crafted filename, exploiting a format string vulnerability in the tty_printf() function. It is possible that the flaw may allow execution of code in the context of the target user, resulting in a loss of integrity.

Technical Description

In the do_get() function in the ttyio.c file, GnuPG calls tty_printf() with a user-supplied format string. When not in batch mode, GPG prompts the user for a new filename to write decrypted results to when it encounters a filename with an unknown suffix. The default value is the existing filename. If the filename embedded in the message contains printf style format characters, the message creator may be able to execute arbitrary code as the user who decrypts the message.

Solution Description

Upgrade to version 1.0.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

GnuPG contains a flaw that may allow a malicious user to execute arbitrary code in the context of a user decrypting a given file. The issue is triggered when the attacker sends the victim a GPG message with a crafted filename, exploiting a format string vulnerability in the tty_printf() function. It is possible that the flaw may allow execution of code in the context of the target user, resulting in a loss of integrity.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL ISS X-Force ID: 6642 Generic Exploit URL: http://www.securityfocus.com/archive/1/187352 CVE-2001-0522 CERT VU: 233200 CERT VU: 403051 Bugtraq ID: 2797