Fw: [UNIX] GnuPG Format String Vulnerability in ttyio.c's do_get()

vedaal vedaal@hotmail.com
Mon Dec 17 15:17:02 2001 

received the alert below from securiteam,

is it 'real'?
if not,
perhaps they should be responded to before any wideapread mis-understandings
result,
if yes,
what 'patch' are they referring to?

vedaal

----- Original Message -----
From: <support@securiteam.com>
To: <list@securiteam.com>
Sent: Sunday, December 16, 2001 7:46 PM
Subject: [UNIX] GnuPG Format String Vulnerability in ttyio.c's do_get()


> The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com
> - - promotion
>
> When was the last time you checked your server's security?
> How about a monthly report?
> http://www.AutomatedScanning.com - Know that you're safe.
> - - - - - - - - -
>
>
>
>   GnuPG Format String Vulnerability in ttyio.c's do_get()
> ------------------------------------------------------------------------
>
>
> SUMMARY
>
> There is a format string vulnerability in GNU Privacy Guard. By sending a
> GPG message with a carefully crafted malicious filename, an attacker may
> be able to execute arbitrary code as the user who decrypts the message.
>
> DETAILS
>
> GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for
> Pretty Good Privacy (PGP).
>
> A format string vulnerability occurs in the do_get() function in ttyio.c,
> where GnuPG calls tty_printf() with a user supplied format string. When
> GPG encounters a filename with an unknown suffix, and is not in batch
> mode, it prompts the user for a new filename to write the decrypted
> results to. The default value (which is included in the prompt) is the
> existing filename. Note that the file name is embedded in the encrypted
> message itself, and that safe file names selected by the recipient is not
> sufficient to protect against this attack. If the filename embedded in the
> message contains printf style format characters, the message creator may
> be able to execute arbitrary code as the user who decrypts the message.
>
> Impact:
> An attacker may be able to execute arbitrary code as the user decrypting
> the message.
>
> Solution:
> Apply a patch from your vendor
>
>
> ADDITIONAL INFORMATION
>
> The information has been provided by
> <mailto:cert@cert.org?Subject=VU%23403051 Feedback> CERT/CC.
>
>
>
> ========================================
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe@securiteam.com
> In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
>
>
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of
any kind.
> In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.
>
>
>
>
>