Home page logo
/

bugtraq logo Bugtraq mailing list archives

[CSSA-2001-020.0] Format bug in gnupg
From: Caldera Support Information <sup-info () opus caldera com>
Date: Fri, 8 Jun 2001 12:17:23 -0600


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
                   Caldera International, Inc.  Security Advisory

Subject:                format bug in gnupg
Advisory number:        CSSA-2001-020.0
Issue date:             2001 June, 08
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a format string problem in the printing of filenames of
   GnuPG. It is possible that a remote attacker creates a mailmessage
   that when opened with a mailprogram exploits the problem and
   allows the attacker to gain access to the users account.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                All packages previous to
                                gnupg-1.0.6-1

   OpenLinux eServer 2.3.1      All packages previous to
   and OpenLinux eBuilder       gnupg-1.0.6-1

   OpenLinux eDesktop 2.4       All packages previous to
                                gnupg-1.0.6-1

3. Solution

   Workaround

      none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
   
   4.2 Verification

       c34cd4d1c2de4caebdb52b6057752127  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv gnu*.i386.rpm

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       d8c6d2f3ca54e5e677b8bec6b5089687  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fvh gnu*i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       f4931404eab64b6365b4abba69a42ef4  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

           rpm -Fvh gnu*i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10044.

8. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements:

   Caldera International wishes to thank Synnergy Networks for
   reporting the problem and the GnuPG folks for providing a fixed
   version.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7II/m18sy83A/qfwRAvyKAJ0TvawBBR3HBslME92rcn/DclhmNgCeIDT5
MA+sDumHyurAAAO2+f2wiV8=
=yzto
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
  • [CSSA-2001-020.0] Format bug in gnupg Caldera Support Information (Jun 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]