The GnuPG format string bug (was: TSLSA-2001-0009 - GnuPG)

Werner Koch wk@gnupg.org
Fri Jun 8 19:30:01 2001


Hi!

A remark on the recent GnuPG bug and the exploit:

In many cases GnuPG is used as a backend for a MUA or some script.
In these cases gpg should be called with the option --batch which
suppresses the output of the filename to the tty and thereby makes
it immune against the bug.  So, it should be save to continue using
GnuPG from within a MUA.

However, I strongly recommend to upgrade anyway or just fix the
problem in util/ttyio.c as fish stiqz suggested.

There are minor build problem in GnuPG 1.0.6 when GCC is not used.
The missing parenthesis is quite obvious and the other problems are
related to gettext.  If you encounter such a problem try to use

  ./configure --with-included-gettext && make
  
and if this also fails, forget about NLS by using

  ./configure --disable-nls && make
  
BTW, the Windows version is not affect by this bug, but there are
probably other problems with this system ;-)

Please send complains or other comments to <gnupg-users@gnupg.org>
and NOT by private mail.  Thanks.

Ciao,

  Werner


-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus