[UNIX] GnuPG Format String Vulnerability in ttyio.c's do_get()

David Shaw dshaw@jabberwocky.com
Mon Dec 17 15:51:01 2001


--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Dec 17, 2001 at 09:12:05AM -0500, vedaal wrote:
> received the alert below from securiteam,
>=20
> is it 'real'?
> if not,
> perhaps they should be responded to before any wideapread mis-understandi=
ngs
> result,
> if yes,
> what 'patch' are they referring to?

The advisory doesn't make complete sense.  That problem was fixed in
1.0.6 way back in May.  The CERT page that the advisory refers to
shows every vendor as vulnerable, but (at least all the ones I'm
familiar with) upgraded to 1.0.6 months ago.

David

--=20
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6c-cvs (GNU/Linux)

iQEVAwUBPB4Fpoccwqs8s7QVAQGW3Qf+O4tBKnPyM6TWx5MDr8k8NNo3mdplGc8L
rIBZDojLlOClS6UvBfubcCHA43lls/QjQ7t3nE4M03t3S1ZkEcD3lNEEaNKoZdVs
joD+lzipI94qBUlYkYTCWdnGRpGfULLXbPvt1YblPUxcaV/Rwd59jxDaTC3LXf5t
owS+J45frm9hS3QhxD0QuLNCx9LQ4CdYRDBnxBK7r5oBt5dirjDJXBj2nuTqTryi
Rt53FtwfgT89cZ3kpWFCfciMURwwJKDB80QyZ5wYLVIZdMIYOaJwq935slT9GOhC
OtCwwEiO+2OoCUqE3HYIkQNGAEeqdm+UmdeCpDg0F6U0qSXj/nAG4A==
=dWYX
-----END PGP SIGNATURE-----

--PNTmBPCT7hxwcZjr--