v0.3.2 fixes the setuid hole

Werner Koch wk at isil.d.shuttle.de
Thu Jul 9 17:17:11 CEST 1998


Hi,

Please get the new release from 

ftp://ftp.guug.de/pub/gcrypt/gnupg-0.3.2.tar.gz

or the diff 

ftp://ftp.guug.de/pub/gcrypt/diffs/gnupg-0.3.2.diff.gz

you may also use the mirrors.

Is was possible to become root by using --version and a malicious
extension module.  I fixed this and added a sentinel just before the 
dlopen() which checks that we are not setuid anymore.


Noteworthy changes in version 0.3.2
-----------------------------------
    * Fixed some bugs when using --textmode (-seat)

    * Now displays the trust status of a positive verified message.

    * Keyrings are now scanned in the sequence they are added with
      --[secret-]keyring.  Note that the default keyring is implictly
      added as the very first one unless --no-default-keyring is used.

    * Fixed setuid and dlopen bug.


Please note, that I changed my keys; see README for details.
The reason is not security related but to allow other OpenPGP programs
to verify my signature.  


Werner

  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 280 bytes
Desc: not available
Url : /pipermail/attachments/19980709/248b2466/attachment.bin


More information about the Gnupg-devel mailing list