From wk ÎÁ gnupg.org Sat Dec 2 18:45:07 2006 From: wk ÎÁ gnupg.org (Werner Koch) Date: Sat Dec 2 19:04:11 2006 Subject: [gnupg-ru] [Announce] Re: GnuPG Logo Contest In-Reply-To: <87ac4w9fji.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue\, 19 Sep 2006 15\:01\:05 +0200") References: <87ac4w9fji.fsf@wheatstone.g10code.de> Message-ID: <87slfy9opo.fsf@wheatstone.g10code.de> Hello, Back in September I announced a contest for a new GnuPG logo. By the end of October I received 41 submissions from 31 parties. The original plan was to let all the authors of GnuPG who signed a copyright assignment with the FSF to vote on a new logo. However, I only received 11 answers and there was no clear result: Only one submission got 2 votes. It would have been unfair to take this as a decision. So I looked around and found the CIVS [1] which implements a Condorcet voting system. I fed it with the addresses of all subscribers of the gnupg-users and gnupg-devel mailing lists and started the process. >From the 1231 unique subscribers, 199 took the time to rank the submissions and casted their vote. This time the result is pretty clear: Thomas Wittek [2] from Cologne is the lucky winner. He will soon see his design used with GnuPG and also receive 50 percent of the received donation (we received as of now 215 Euro but further donations won't be rejected [3]). Unfortunately I can't offer him a mail alias thomas at gnupg because this has been assigned to the creator of the old logo. Ranks 2 and 3 are held by Robbie Tingey and Michel Blinn. They will receive an email alias for their contribution. If you like to see the new logo, point your browser to http://logo-contest.gnupg.org You will also find also the detailed results of the ballot, all submissions and the list of sponsors. I want to thank all who submitted a logo to the contest as well as those who worked on a logo but submitted it too late. There are some really cool designs and I hope that some can be reused for another project. Special thanks to the sponsors: Intevation GmbH, Markus Komosinski, Parag Mehta, Folkert van Heusden, Ralph Angenendt, Alexander Tomisch, Robert Workman, Simon Josefsson. The remaining funds will be used to help with a new website design. Many thanks to all, Werner [1] http://www.cs.cornell.edu/andru/civs.html [2] http://gedankenkonstrukt.de/ueber/ (German) [3] http://www.gnupg.org/misc/logo-contest.html -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk ÎÁ g10code.com Wed Dec 6 16:55:52 2006 From: wk ÎÁ g10code.com (Werner Koch) Date: Wed, 06 Dec 2006 16:55:52 +0100 Subject: [gnupg-ru] [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] Message-ID: <87psaxc92v.fsf@wheatstone.g10code.de> GnuPG: remotely controllable function pointer [CVE-2006-6235] =============================================================== 2006-12-04 Summary ======= Tavis Ormandy of the Gentoo security team identified a severe and exploitable bug in the processing of encrypted packets in GnuPG. [ Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). ] Impact ====== Using malformed OpenPGP packets an attacker is able to modify and dereference a function pointer in GnuPG. This is a remotely exploitable bug and affects any use of GnuPG where an attacker can control the data processed by GnuPG. It is not necessary limited to encrypted data, also signed data may be affected. Affected versions: All versions of GnuPG < 1.4.6 All versions of GnuPG-2 < 2.0.2 All beta versions of GnuPG-2 (1.9.0 .. 1.9.95) Affected tools: gpg, gpgv, gpg2 and gpgv2. Affected platforms: All. gpg-agent, gpgsm as well as other tools are not affected. A workaround is not known. Solution ======== If you are using a vendor supplied version of GnuPG: * Wait for an update from your vendor. Vendors have been informed on Saturday December 2, less than a day after this bug has been reported. If you are using GnuPG 1.4: * Update as soon as possible to GnuPG 1.4.6. It has been uploaded to the usual location: ftp://ftp.gnupg.org/gcrypt/gnupg/. This version was due to be released anyway this week. See http://www.gnupg.org/download/ for details. * Or: As another and less intrusive option, apply the attached patch to GnuPG 1.4.5. This is the smallest possible fix. If you are using GnuPG 2.0: * Apply the attached patch against GnuPG 2.0.1. * Or: Stop using gpg2 and gpgv2, install GnuPG 1.4.6 and use gpg and gpgv instead. If you are using a binary Windows version of GnuPG: * A binary version of GnuPG 1.4.6 for Windows is available as usual. * Gpg4win 1.0.8, including GnuPG 1.4.6, is available. Please go to http://www.gpg4win.org . Background ========== GnuPG uses data structures called filters to process OpenPGP messages. These filters ware used in a similar way as a pipelines in the shell. For communication between these filters context structures are used. These are usually allocated on the stack and passed to the filter functions. At most places the OpenPGP data stream fed into these filters is closed before the context structure gets deallocated. While decrypting encrypted packets, this may not happen in all cases and the filter may use a void contest structure filled with garbage. An attacker may control this garbage. The filter context includes another context used by the low-level decryption to access the decryption algorithm. This is done using a function pointer. By carefully crafting an OpenPGP message, an attacker may control this function pointer and call an arbitrary function of the process. Obviously an exploit needs to prepared for a specific version, compiler, libc, etc to be successful - but it is definitely doable. Fixing this is obvious: We need to allocate the context on the heap and use a reference count to keep it valid as long as either the controlling code or the filter code needs it. We have checked all other usages of such a stack based filter contexts but fortunately found no other vulnerable places. This allows to release a relatively small patch. However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones. Support ======= g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. As evident by the two vulnerabilities found within a week, a review of the entire code base should be undertaken as soon as possible. As maintainers we try to do our best and are working slowly through the code. The long standing plan is to scrutinize the 2.0 code base, write more test cases and to backport new fixes and cleanups to 1.4. However, as a small company our resources are limited and we need to prioritize other projects which get us actual revenues. Support contracts or other financial backing would greatly help us to improve the quality of GnuPG. Thanks ====== Tavis Ormandy found this vulnerability. [1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel . -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 Hüttenstr. 61 Geschäftsführung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 ----------- ÓÌÅÄÕÝÁÑ ÞÁÓÔØ ----------- An embedded and charset-unspecified text was scrubbed... Name: filter-context-14-small.diff Url: /pipermail/attachments/20061206/3de5c112/attachment-0002.diff ----------- ÓÌÅÄÕÝÁÑ ÞÁÓÔØ ----------- An embedded and charset-unspecified text was scrubbed... Name: filter-context-20-small.diff Url: /pipermail/attachments/20061206/3de5c112/attachment-0003.diff ----------- ÓÌÅÄÕÝÁÑ ÞÁÓÔØ ----------- Вложение не в текÑтовом формате было извлечено… Ð˜Ð¼Ñ : отÑутÑтвует Тип : application/pgp-signature Размер : 196 байтов ОпиÑание: отÑутÑтвует Url : /pipermail/attachments/20061206/3de5c112/attachment-0001.pgp ----------- ÓÌÅÄÕÝÁÑ ÞÁÓÔØ ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce ÎÁ gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk ÎÁ gnupg.org Thu Dec 7 17:07:12 2006 From: wk ÎÁ gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 17:07:12 +0100 Subject: [gnupg-ru] [Announce] Maintenance release for GnuPG 1.2.x Message-ID: <87psavbsgf.fsf@wheatstone.g10code.de> Hello, I am pleased to announce a security update to the 1.2 series of GnuPG: Version 1.2.8. The 1.2.x series has reached end of life status about 2 years ago. However, I make an update available for the sake of those who can't migrate to 1.4. There is no guarantee that all problems are solved in 1.2 - it is in general better to migrate to the activly maintained 1.4 series. You will find that version as well as corresponding signatures at the usual place (ftp://ftp.gnupg.org/gcrypt/gnupg/). Noteworthy changes in version 1.2.8 (2006-12-07) ------------------------------------------------ Backported security fixes. Note, that the 1.2.x series has reached end of life status. You should migrate to 1.4.x. * Fixed a serious and exploitable bug in processing encrypted packages. [CVE-2006-6235]. * Fixed a buffer overflow in gpg. [bug#728, CVE-2006-6169] * User IDs are now capped at 2048 bytes. This avoids a memory allocation attack [CVE-2006-3082]. * Added countermeasures against the Mister/Zuccherato CFB attack . Happy Hacking, Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org ----------- ÓÌÅÄÕÝÁÑ ÞÁÓÔØ ----------- ÷ÌÏÖÅÎÉÅ ÎÅ × ÔÅËÓÔÏ×ÏÍ ÆÏÒÍÁÔÅ ÂÙÌÏ ÉÚ×ÌÅÞÅÎÏ… éÍÑ : ÏÔÓÕÔÓÔ×ÕÅÔ ôÉÐ : application/pgp-signature òÁÚÍÅÒ : 196 ÂÁÊÔÏ× ïÐÉÓÁÎÉÅ: ÏÔÓÕÔÓÔ×ÕÅÔ Url : /pipermail/attachments/20061207/2e2372f7/attachment.pgp ----------- ÓÌÅÄÕÝÁÑ ÞÁÓÔØ ----------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce ÎÁ gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce