Extra details on the bug report for gnupg-1.04-2 can be found on http://www.securityfocus.com/bid/2797. Most distributions appear to have reported a security alert, but all recommend upgrading to 1.0.6. A backport for stable is in order, I guess... bfn, Wouter From: Ulrik De Bie <ulrik@mind.be> To: submit@bugs.debian.org Message-ID: <20010610174246.A27008@mind.be> Package: gnupg Version: 1.0.4-2 Severity: grave Since 1.0.4-2 is in stable, with this bug, it should be fixed IMHO. Problem ------- The problem code lies in util/ttyio.c in the 'do_get' function. There is a call to a function called 'tty_printf' (which eventually results in a vfprintf call) without a constant format string: > tty_printf( prompt ); If gpg attempts to decrypt a file whose filename does not end in ".gpg", that filename (minus the extension) is copied to the prompt string, allowing a user-suppliable format string. Solution -------- The vulnerable call obviously needs the "%s" conversion: > tty_printf( "%s", prompt ); The newest release of GnuPG (version 1.0.6) contains this security fix, as well as implementing many new features. It can be obtained from http://www.gnupg.org/download.html. All GnuPG users are strongly urged to upgrade as soon as possible.
Attachment:
pgpQ03TYYzHmT.pgp
Description: PGP signature