[Announce] GnuPG security fix 1.0.6

Werner Koch wk@gnupg.org
Fri Jun 1 15:25:02 2001


--NKoe5XOeduwbEQHU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I have recently released a new version of GnuPG which fixes an
exploit found by fish stiqz as well has some other bugs:

    * Security fix for a format string bug in the tty code.

    * Fixed format string bugs in all PO files.=20

    * Removed Russian translation due to too many bugs.  The FTP
      server has an unofficial but better translation in the contrib
      directory.

    * Fixed expire time calculation and keyserver access.

    * The usual set of minor bug fixes and enhancements.

Although that the posted exploit code can only be used with a special
knowledge of the target machine, I STRONGLY ADVISE TO UPDATE GnuPG to
this new version.=20

This new release should be avalable at all mirror sites (see
http://www.gnupg.org/mirrors.html and below) and at the primary location:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6.tar.gz  (1896k)
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6.tar.gz.sig

or as a patch file:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.5-1.0.6.diff.gz (217k)

MD5 checksums are:

   7c319a9e5e70ad9bc3bf0d7b5008a508  gnupg-1.0.6.tar.gz
   71ae7d725776688c2e095d9672f38e61  gnupg-1.0.5-1.0.6.diff.gz

A binary distribution for MS Windows systems is available at:

  ftp://ftp.gnupg.org/gcrypt/binaty/gnupg-w32-1.0.6.zip
  ftp://ftp.gnupg.org/gcrypt/binaty/gnupg-w32-1.0.6.zip


After releasing this version it turned out that there is a small
glitch in the source when a compiler other than GCC is used.  If you
encounter a compile problem, you should fix it in include/ttyio.c
like this:

diff -r1.7.2.3 ttyio.h
27c27
<  void tty_printf  const char *fmt, ... );
---
>  void tty_printf (const char *fmt, ... );

Due to the switch to a new gettext version, some systems may have
problems with there own gettext version.  Using=20

  ./configure --with-included-gettext
 =20
should fix this (this is also mentioned in the INSTALL file)


Have fun

   Werner



Here is a list of sites mirroring ftp://ftp.gnupg.org/gcrypt/=20
Please use them if you can; new releases should show up on these
servers within a day. This mirror list is also available at
http://www.gnupg.org/mirrors.html


Australia

        ftp://ftp.planetmirror.com/pub/gnupg/
        http://ftp.planetmirror.com/pub/gnupg/
        ftp://mirror.aarnet.edu.au/pub/gnupg/

    Austria

        ftp://gd.tuwien.ac.at/privacy/gnupg/
        http://gd.tuwien.ac.at/privacy/gnupg/

    Belgium

        ftp://openbsd.rug.ac.be/pub/gcrypt/
        ftp://gnupg.x-zone.org/pub/gnupg

    Czechia

        ftp://ftp.gnupg.cz/pub/gcrypt

    Denmark

        ftp://sunsite.dk/pub/security/gcrypt/

    Finland

        ftp://ftp.jyu.fi/pub/crypt/gcrypt/

    France

        ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/

    Germany

        ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/
        ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/

    Greece

        ftp://ftp.linux.gr/pub/crypto/gnupg/
        ftp://hal.csd.auth.gr/mirrors/gnupg/

    Hungary

        ftp://ftp.kfki.hu/pub/packages/security/gnupg/

    Iceland

        ftp://ftp.hi.is/pub/mirrors/gnupg/

    Ireland

        ftp://ftp.compsoc.com/pub/gnupg/

    Italy

        ftp://ftp.linux.it/pub/mirrors/gnupg/
        ftp://ftp3.linux.it/pub/mirrors/gnupg/

    Japan

        ftp://pgp.iijlab.net/pub/gnupg/
        ftp://ftp.ring.gr.jp/pub/net/gnupg/
        http://www.ring.gr.jp/pub/net/gnupg/

    Korea

        ftp://ftp.snu.ac.kr/pub/security/gnupg/

    Poland

        ftp://sunsite.icm.edu.pl/pub/security/gnupg/

    Spain

        ftp://dimonieta.udg.es/mirror/gnupg

    Sweden

        ftp://ftp.stacken.kth.se/pub/crypto/gnupg/
        ftp://ftp.sunet.se:/pub/security/gnupg/

    Switzerland

        ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/

    Taiwan

        ftp://coda.nctu.edu.tw/Security/gcrypt

    United Kingdom

        ftp://ftp.net.lut.ac.uk/gcrypt/
        ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
        http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/


--=20
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus

--NKoe5XOeduwbEQHU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7F41ZbH7huGIcwBMRAlOOAKCCK9Q5D56P+fWKtv+Bcllrw8b93wCeNxN8
iOJAxMyN7Fsal+nlcK7xGRU=
=w2y+
-----END PGP SIGNATURE-----

--NKoe5XOeduwbEQHU--


_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce