OpenPKG Security Advisory
OpenPKG-SA-2006.037
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2006.037 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2006.037 Advisory Published: 2008-10-06 23:02 UTC Issue Id (internal): OpenPKG-SI-20061128.01 Issue First Created: 2006-11-28 Issue Last Modified: 2006-12-08 Issue Revision: 13
Subject Name: GnuPG Subject Summary: OpenPGP cryptography tool Subject Home: http://www.gnupg.org/ Subject Versions: 1.* <= 1.4.5 && 2.* <= 2.0.1 Vulnerability Id: CVE-2006-6169, CVE-2006-6235 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service, arbitrary code execution Description: Two security issues were discovered in the OpenPGP cryptography tool GnuPG [0], versions up to and including 1.4.5 and 2.0.1. The first issue [1] is a heap-based buffer overflow which has been identified by the vendor during fixing a bug reported by Hugh Warrington [2]. The problem is that the GnuPG internal function make_printable_string() is supposed to replace possible dangerous characters from a prompt and returns an allocated string. This string may be longer than the original one, but the buffer for the prompt is only be allocated at the size of the original string. The flaw might allow attackers to cause a denial of service or even execute arbitrary code via messages with "C-escape" expansions. The second issue [3] is a memory management problem. GnuPG uses data structures called filters to process OpenPGP messages. For communication between filters, context structures are used. These are usually allocated on the stack and passed to the filter functions. At most places the OpenPGP data stream fed into these filters is closed before the context structure gets deallocated. While decrypting encrypted packets, this may not happen in all cases and the filter may use a void context structure filled with garbage. An attacker may control this garbage. The filter context includes another context used by the low-level decryption to access the decryption algorithm. This is done using a function pointer. By carefully crafting an OpenPGP message, an attacker may control this function pointer and call an arbitrary function of the process. This is a remotely exploitable bug and affects any use of GnuPG where an attacker can control the data processed by GnuPG. It is not necessary limited to encrypted data, also signed data may be affected. References: [0] http://www.gnupg.org/ [1] http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html [2] https://bugs.g10code.com/gnupg/issue728 [3] http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000246.html
Primary Package Name: gnupg Primary Package Home: http://openpkg.org/go/package/gnupg Affected Distribution: Affected Branch: Affected Package: OpenPKG Enterprise E1.0-SOLID gnupg-1.4.5-E1.0.0 OpenPKG Community 2-STABLE-20061018 gnupg-1.4.5-2.20061128 OpenPKG Community 2-STABLE gnupg-1.4.5-2.20061128 OpenPKG Community CURRENT gnupg-1.4.5-20061129 OpenPKG Community CURRENT gnupg2-2.0.1-20061129 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID gnupg-1.4.5-E1.0.1 OpenPKG Community 2-STABLE-20061018 gnupg-1.4.6-2.20061207 OpenPKG Community 2-STABLE gnupg-1.4.6-2.20061207 OpenPKG Community CURRENT gnupg-1.4.6-20061206 OpenPKG Community CURRENT gnupg2-2.0.1-20061207
