The GnuPG format string bug (was: TSLSA-2001-0009 - GnuPG)
Werner Koch
wk@gnupg.org
Fri Jun 8 19:30:01 2001
Hi!
A remark on the recent GnuPG bug and the exploit:
In many cases GnuPG is used as a backend for a MUA or some script.
In these cases gpg should be called with the option --batch which
suppresses the output of the filename to the tty and thereby makes
it immune against the bug. So, it should be save to continue using
GnuPG from within a MUA.
However, I strongly recommend to upgrade anyway or just fix the
problem in util/ttyio.c as fish stiqz suggested.
There are minor build problem in GnuPG 1.0.6 when GCC is not used.
The missing parenthesis is quite obvious and the other problems are
related to gettext. If you encounter such a problem try to use
./configure --with-included-gettext && make
and if this also fails, forget about NLS by using
./configure --disable-nls && make
BTW, the Windows version is not affect by this bug, but there are
probably other problems with this system ;-)
Please send complains or other comments to <gnupg-users@gnupg.org>
and NOT by private mail. Thanks.
Ciao,
Werner
--
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus