Vulnerability Note VU#403051
GnuPG format string vulnerability in do_get() in ttyio.c while prompting for a new filename
Overview
There is a format string vulnerability in GNU Privacy Guard. By sending a GPG message with a carefully crafted malicious filename, an attacker may be able to execute arbitrary code as the user who decrypts the message.
Description
GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for Pretty Good Privacy (PGP). A format string vulnerability occurs in the do_get() function in ttyio.c, where GnuPG calls tty_printf() with a user supplied format string. When GPG encounters a filename with an unknown suffix, and it is not in batch mode, it prompts the user for a new filename to write the decrypted results to. The default value (which is included in the prompt) is the existing filename. Note that the filename is embedded in the encrypted message itself, and that safe file names selected by the recipient is not sufficient to protect against this attack. If the filename embedded in the message contains printf style format characters, the message creator may be able to execute arbitrary code as the user who decrypts the message. |
Impact
An attacker may be able to execute arbitrary code as the user decrypting the message. |
Solution
Apply a patch from your vendor |
Decrypt files in batch mode |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Conectiva | Affected | - | 12 Dec 2001 |
| Debian | Affected | 10 Dec 2001 | 11 Dec 2001 |
| FreeBSD | Affected | 10 Dec 2001 | 11 Dec 2001 |
| Guardian Digital Inc. | Affected | - | 05 Nov 2003 |
| Immunix | Affected | - | 10 Dec 2001 |
| MandrakeSoft | Affected | 10 Dec 2001 | 11 Dec 2001 |
| Red Hat Inc. | Affected | 10 Dec 2001 | 11 Dec 2001 |
| SuSE Inc. | Affected | - | 10 Dec 2001 |
| The SCO Group (SCO Linux) | Affected | 10 Dec 2001 | 11 Dec 2001 |
| Trustix | Affected | - | 10 Dec 2001 |
| TurboLinux | Affected | - | 05 Nov 2003 |
| Fujitsu | Not Affected | 10 Dec 2001 | 05 Nov 2003 |
| OpenBSD | Not Affected | 10 Dec 2001 | 05 Nov 2003 |
| Apple Computer Inc. | Unknown | 10 Dec 2001 | 11 Dec 2001 |
| BSDI | Unknown | 10 Dec 2001 | 11 Dec 2001 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.gnupg.org/whatsnew.html#rn20010529
- http://www.securityfocus.com/bid/2797
- http://www.securityfocus.com/archive/1/187352
- http://www.i.cz/en/onas/tisk4.html
- http://linuxtoday.com/news_story.php3?ltsn=2001-05-30-015-20-SC-PD
- http://www.redhat.com/support/errata/RHSA-2001-073.html
- http://lists.suse.com/archive/suse-security-announce/2001-Jun/0000.html
- http://www.turbolinux.com/pipermail/tl-security-announce/2001-June/000439.html
- http://www.mandrakesecure.net/en/advisories/2001/MDKSA-2001-053-1.php3?dis=8.1
- http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00064.html
- http://www.caldera.com/support/security/advisories/CSSA-2001-020.1.txt
- http://www.trustix.org/pipermail/tsl-announce/2001-June/000011.html
- http://xforce.iss.net/static/6642.php
Credit
Thanks to Fish Stiqz for discovering this vulnerability.
This document was written by Cory F. Cohen.
Other Information
- CVE IDs: CVE-2001-0522
- Date Public: 29 May 2001
- Date First Published: 10 Dec 2001
- Date Last Updated: 05 Nov 2003
- Severity Metric: 21.94
- Document Revision: 9
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.