Home page logo

bugtraq logo Bugtraq mailing list archives

The GnuPG format string bug (was: TSLSA-2001-0009 - GnuPG)
From: Werner Koch <wk () gnupg org>
Date: Fri, 1 Jun 2001 21:23:54 +0200


A remark on the recent GnuPG bug and the exploit:

In many cases GnuPG is used as a backend for a MUA or some script.
In these cases gpg should be called with the option --batch which
suppresses the output of the filename to the tty and thereby makes
it immune against the bug.  So, it should be save to continue using
GnuPG from within a MUA.

However, I strongly recommend to upgrade anyway or just fix the
problem in util/ttyio.c as fish stiqz suggested.

There are minor build problem in GnuPG 1.0.6 when GCC is not used.
The missing parenthesis is quite obvious and the other problems are
related to gettext.  If you encounter such a problem try to use

  ./configure --with-included-gettext && make
and if this also fails, forget about NLS by using

  ./configure --disable-nls && make
BTW, the Windows version is not affect by this bug, but there are
probably other problems with this system ;-)

Please send complains or other comments to <gnupg-users () gnupg org>
and NOT by private mail.  Thanks.



Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus

  By Date           By Thread  

Current thread:
  • TSLSA-2001-0009 - GnuPG Trustix Secure Linux Advisor (Jun 01)
    • The GnuPG format string bug (was: TSLSA-2001-0009 - GnuPG) Werner Koch (Jun 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]