|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#427009
GnuPG vulnerable to remote data control
OverviewA vulnerability in GnuPG could allow a remote attacker to execute arbitrary code on an affected system.
I. DescriptionGNU Privacy Guard (GnuPG) is the GNU project's implementation of the OpenPGP standard as defined by RFC2440.
OpenPGP messages are processed by GnuPG using data structures called filters that are used in a way similar to pipelines in the shell. Context structures that are usually allocated on the stack and passed to the filter functions are used for communications between these filters. Before the context structure gets deallocated, the OpenPGP data stream that is fed into the filters is closed. In some cases, while decrypting encrypted packets, this may not happen and the filter may use a void context structure filled with garbage that is under the attacker's control. Another context is included in the filter context for use by the low-level decryption. The decryption algorithm is accessed by this context via a function pointer.
According to GnuPG:
Using malformed OpenPGP packets an attacker is able to modify and dereference a function pointer in GnuPG.
The GnuPG advisory notes that both encrypted and signed data could be used as attack vectors for this vulnerability.
II. ImpactA remote, unauthenticated attacker with the ability to supply specially crafted OpenPGP packets to a vulnerable version of GnuPG may be able to execute arbitrary code on an affected system. The attacker-supplied code would be executed with the privileges of the user or application invoking gpg.
III. SolutionApply a patch or upgrade
Patches have been released to address this issue. Please see the Systems Affected section of this document for more details on specific vendors.
Users who compile GnuPG from the original distribution are encouraged to upgrade to version 1.4.6 (or later) or apply the patch to upgrade from 1.4.5 to 1.4.6.
Run with limited privileges
Running GnuPG with reduced privileges may help mitigate the effects of this vulnerability. Note that this workaround will not prevent exploitation.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| Apple Computer, Inc. | Not Vulnerable | 18-Dec-2006 |
| Conectiva Inc. | Unknown | 18-Dec-2006 |
| Cray Inc. | Unknown | 18-Dec-2006 |
| Debian GNU/Linux | Vulnerable | 21-Dec-2006 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 18-Dec-2006 |
| Engarde Secure Linux | Unknown | 18-Dec-2006 |
| F5 Networks, Inc. | Unknown | 18-Dec-2006 |
| Fedora Project | Unknown | 18-Dec-2006 |
| FreeBSD, Inc. | Unknown | 18-Dec-2006 |
| Fujitsu | Unknown | 18-Dec-2006 |
| Gentoo Linux | Vulnerable | 21-Dec-2006 |
| GnuPG | Vulnerable | 7-Dec-2006 |
| Hewlett-Packard Company | Unknown | 18-Dec-2006 |
| Hitachi | Unknown | 18-Dec-2006 |
| IBM Corporation | Unknown | 18-Dec-2006 |
| IBM Corporation (zseries) | Unknown | 18-Dec-2006 |
| IBM eServer | Unknown | 18-Dec-2006 |
| Immunix Communications, Inc. | Unknown | 18-Dec-2006 |
| Ingrian Networks, Inc. | Unknown | 18-Dec-2006 |
| Juniper Networks, Inc. | Unknown | 18-Dec-2006 |
| Mandriva, Inc. | Vulnerable | 18-Dec-2006 |
| Microsoft Corporation | Unknown | 18-Dec-2006 |
| MontaVista Software, Inc. | Unknown | 18-Dec-2006 |
| NEC Corporation | Unknown | 18-Dec-2006 |
| NetBSD | Unknown | 18-Dec-2006 |
| Novell, Inc. | Unknown | 18-Dec-2006 |
| OpenBSD | Unknown | 18-Dec-2006 |
| OpenPKG | Vulnerable | 21-Dec-2006 |
| Openwall GNU/*/Linux | Vulnerable | 18-Dec-2006 |
| QNX, Software Systems, Inc. | Unknown | 18-Dec-2006 |
| Red Hat, Inc. | Vulnerable | 7-Dec-2006 |
| rPath | Vulnerable | 7-Dec-2006 |
| Silicon Graphics, Inc. | Unknown | 18-Dec-2006 |
| Slackware Linux Inc. | Vulnerable | 21-Dec-2006 |
| Sony Corporation | Unknown | 18-Dec-2006 |
| Sun Microsystems, Inc. | Not Vulnerable | 21-Dec-2006 |
| SUSE Linux | Vulnerable | 19-Dec-2006 |
| The SCO Group | Unknown | 18-Dec-2006 |
| Trustix Secure Linux | Vulnerable | 11-Dec-2006 |
| Turbolinux | Unknown | 18-Dec-2006 |
| Ubuntu | Vulnerable | 7-Dec-2006 |
| Unisys | Unknown | 18-Dec-2006 |
| Wind River Systems, Inc. | Unknown | 18-Dec-2006 |
References
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000245.html
http://secunia.com/advisories/23245/
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html
http://secunia.com/advisories/23329/
http://secunia.com/advisories/23269/
http://secunia.com/advisories/23284/
http://secunia.com/advisories/23250/
http://secunia.com/advisories/23299/
http://secunia.com/advisories/23303/
http://secunia.com/advisories/23290/
http://secunia.com/advisories/23259/
http://secunia.com/advisories/24047/
Credit
This issue was publicly reported by Werner Koch of the GnuPG project who, in turn, credits Tavis Ormandy of the Gentoo Security Team with its discovery.
This document was written by Chad R Dougherty and Chris Taschner.
Other Information
| Date Public: | 2006-12-06 |
| Date First Published: | 2006-12-18 |
| Date Last Updated: | 2007-02-06 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2006-6235 |
| NVD-ID(s): | CVE-2006-6235 |
| US-CERT Technical Alerts: | |
| Metric: | 9.11 |
| Document Revision: | 42 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader