Vulnerability Note VU#403051

GnuPG format string vulnerability in do_get() in ttyio.c while prompting for a new filename

Overview

There is a format string vulnerability in GNU Privacy Guard. By sending a GPG message with a carefully crafted malicious filename, an attacker may be able to execute arbitrary code as the user who decrypts the message.

I. Description

GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for Pretty Good Privacy (PGP).

A format string vulnerability occurs in the do_get() function in ttyio.c, where GnuPG calls tty_printf() with a user supplied format string. When GPG encounters a filename with an unknown suffix, and it is not in batch mode, it prompts the user for a new filename to write the decrypted results to. The default value (which is included in the prompt) is the existing filename. Note that the filename is embedded in the encrypted message itself, and that safe file names selected by the recipient is not sufficient to protect against this attack. If the filename embedded in the message contains printf style format characters, the message creator may be able to execute arbitrary code as the user who decrypts the message.

II. Impact

An attacker may be able to execute arbitrary code as the user decrypting the message.

III. Solution

Apply a patch from your vendor

GNU Privacy Guard version 1.0.6 corrects this problem. Many vendors have published security advisories and released updated distributions correcting the vulnerability.
Decrypt files in batch mode

Because the vulnerable code is not called when GnuPG is in batch mode, users may be able to work around the vulnerability by specifying --batch on the command line.

Systems Affected

Vendor	Status	Date Notified
Apple Computer Inc.	Unknown	11-Dec-2001
BSDI	Unknown	11-Dec-2001
Compaq Computer Corporation	Unknown	11-Dec-2001
Conectiva	Vulnerable	12-Dec-2001
Data General	Unknown	11-Dec-2001
Debian	Vulnerable	11-Dec-2001
FreeBSD	Vulnerable	11-Dec-2001
Fujitsu	Not Vulnerable	5-Nov-2003
Guardian Digital Inc.	Vulnerable	5-Nov-2003
Hewlett-Packard Company	Unknown	11-Dec-2001
IBM	Unknown	11-Dec-2001
Immunix	Vulnerable	10-Dec-2001
MandrakeSoft	Vulnerable	11-Dec-2001
NETBSD	Unknown	11-Dec-2001
NEXT	Unknown	11-Dec-2001
OpenBSD	Not Vulnerable	5-Nov-2003
Red Hat Inc.	Vulnerable	11-Dec-2001
Sequent	Unknown	11-Dec-2001
SGI	Unknown	11-Dec-2001
Siemens Nixdorf	Unknown	11-Dec-2001
Sony Corporation	Unknown	11-Dec-2001
Sun Microsystems Inc.	Unknown	11-Dec-2001
SuSE Inc.	Vulnerable	10-Dec-2001
The SCO Group (SCO Linux)	Vulnerable	11-Dec-2001
The SCO Group (SCO UnixWare)	Unknown	11-Dec-2001
Trustix	Vulnerable	10-Dec-2001
TurboLinux	Vulnerable	5-Nov-2003
Unisys	Unknown	11-Dec-2001

References

http://www.gnupg.org/whatsnew.html#rn20010529
http://www.securityfocus.com/bid/2797
http://www.securityfocus.com/archive/1/187352
http://www.i.cz/en/onas/tisk4.html
http://linuxtoday.com/news_story.php3?ltsn=2001-05-30-015-20-SC-PD
http://www.redhat.com/support/errata/RHSA-2001-073.html
http://lists.suse.com/archive/suse-security-announce/2001-Jun/0000.html
http://www.turbolinux.com/pipermail/tl-security-announce/2001-June/000439.html
http://www.mandrakesecure.net/en/advisories/2001/MDKSA-2001-053-1.php3?dis=8.1
http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00064.html
http://www.caldera.com/support/security/advisories/CSSA-2001-020.1.txt
http://www.trustix.org/pipermail/tsl-announce/2001-June/000011.html
http://xforce.iss.net/static/6642.php

Credit

Thanks to Fish Stiqz for discovering this vulnerability.

This document was written by Cory F. Cohen.

Other Information

Date Public:	2001-05-29
Date First Published:	2001-12-10
Date Last Updated:	2003-11-05
CERT Advisory:
CVE-ID(s):	CVE-2001-0522
NVD-ID(s):	CVE-2001-0522
US-CERT Technical Alerts:
Severity Metric:	21.94
Document Revision:	9

If you have feedback, comments, or additional information about this vulnerability, please send us email.