Re: #100409 GnuPG printf format string vulnerability

To: Wouter Cloetens <wouter@mind.be>
Cc: debian-security@lists.debian.org
Subject: Re: #100409 GnuPG printf format string vulnerability
From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
Date: 11 Jun 2001 13:47:57 +0200
Message-id: <[🔎] tg8ziz2q6q.fsf@mercury.rus.uni-stuttgart.de>
In-reply-to: <[🔎] 20010611015756.C29455@mind.be> (Wouter Cloetens's message of "Mon, 11 Jun 2001 01:57:56 +0200")
References: <[🔎] 20010611015756.C29455@mind.be>

Wouter Cloetens <wouter@mind.be> writes:

> Extra details on the bug report for gnupg-1.04-2 can be found 
> on http://www.securityfocus.com/bid/2797. Most distributions
> appear to have reported a security alert, but all recommend
> upgrading to 1.0.6. A backport for stable is in order, I
> guess...

> Since 1.0.4-2 is in stable, with this bug, it should be fixed IMHO.

With GnuPG 1.0.4, the web of trust can be compromised by an attacker,
and there's a pretty severe problem with detached signature
verification.  You should not distribute this version.  (I'm going to
file a bug report soon.)

-- 
Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Reply to:

Follow-Ups:
- Re: #100409 GnuPG printf format string vulnerability
  - From: Wichert Akkerman <wichert@wiggy.net>

References:
- #100409 GnuPG printf format string vulnerability
  - From: Wouter Cloetens <wouter@mind.be>

Prev by Date: Re: #100409 GnuPG printf format string vulnerability
Next by Date: Re: #100409 GnuPG printf format string vulnerability
Previous by thread: Re: #100409 GnuPG printf format string vulnerability
Next by thread: Re: #100409 GnuPG printf format string vulnerability
Index(es):
- Date
- Thread