Vulnerability Note VU#427009
GnuPG vulnerable to remote data control
A vulnerability in GnuPG could allow a remote attacker to execute arbitrary code on an affected system.
GNU Privacy Guard (GnuPG) is the GNU project's implementation of the OpenPGP standard as defined by RFC2440.
OpenPGP messages are processed by GnuPG using data structures called filters that are used in a way similar to pipelines in the shell. Context structures that are usually allocated on the stack and passed to the filter functions are used for communications between these filters. Before the context structure gets deallocated, the OpenPGP data stream that is fed into the filters is closed. In some cases, while decrypting encrypted packets, this may not happen and the filter may use a void context structure filled with garbage that is under the attacker's control. Another context is included in the filter context for use by the low-level decryption. The decryption algorithm is accessed by this context via a function pointer.
A remote, unauthenticated attacker with the ability to supply specially crafted OpenPGP packets to a vulnerable version of GnuPG may be able to execute arbitrary code on an affected system. The attacker-supplied code would be executed with the privileges of the user or application invoking gpg.
Apply a patch or upgrade
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||18 Dec 2006||21 Dec 2006|
|Gentoo Linux||Affected||18 Dec 2006||21 Dec 2006|
|GnuPG||Affected||07 Dec 2006||07 Dec 2006|
|Mandriva, Inc.||Affected||18 Dec 2006||18 Dec 2006|
|OpenPKG||Affected||-||21 Dec 2006|
|Openwall GNU/*/Linux||Affected||18 Dec 2006||18 Dec 2006|
|Red Hat, Inc.||Affected||-||07 Dec 2006|
|rPath||Affected||-||07 Dec 2006|
|Slackware Linux Inc.||Affected||-||21 Dec 2006|
|SUSE Linux||Affected||18 Dec 2006||19 Dec 2006|
|Trustix Secure Linux||Affected||-||11 Dec 2006|
|Ubuntu||Affected||-||07 Dec 2006|
|Apple Computer, Inc.||Not Affected||18 Dec 2006||18 Dec 2006|
|Sun Microsystems, Inc.||Not Affected||18 Dec 2006||21 Dec 2006|
|Conectiva Inc.||Unknown||18 Dec 2006||18 Dec 2006|
CVSS Metrics (Learn More)
This issue was publicly reported by Werner Koch of the GnuPG project who, in turn, credits Tavis Ormandy of the Gentoo Security Team with its discovery.
This document was written by Chad R Dougherty and Chris Taschner.
- CVE IDs: CVE-2006-6235
- Date Public: 06 Dec 2006
- Date First Published: 18 Dec 2006
- Date Last Updated: 06 Feb 2007
- Severity Metric: 9.11
- Document Revision: 42
If you have feedback, comments, or additional information about this vulnerability, please send us email.