CERT/CC Vulnerability Note VU#403051

Overview

There is a format string vulnerability in GNU Privacy Guard. By sending a GPG message with a carefully crafted malicious filename, an attacker may be able to execute arbitrary code as the user who decrypts the message.

Description

GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for Pretty Good Privacy (PGP).

A format string vulnerability occurs in the do_get() function in ttyio.c, where GnuPG calls tty_printf() with a user supplied format string. When GPG encounters a filename with an unknown suffix, and it is not in batch mode, it prompts the user for a new filename to write the decrypted results to. The default value (which is included in the prompt) is the existing filename. Note that the filename is embedded in the encrypted message itself, and that safe file names selected by the recipient is not sufficient to protect against this attack. If the filename embedded in the message contains printf style format characters, the message creator may be able to execute arbitrary code as the user who decrypts the message.

Impact

An attacker may be able to execute arbitrary code as the user decrypting the message.

Solution

Apply a patch from your vendor

GNU Privacy Guard version 1.0.6 corrects this problem. Many vendors have published security advisories and released updated distributions correcting the vulnerability.

Decrypt files in batch mode

Because the vulnerable code is not called when GnuPG is in batch mode, users may be able to work around the vulnerability by specifying --batch on the command line.

Vendor Information

403051

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Conectiva Affected

Debian Affected

FreeBSD Affected

Guardian Digital Inc. Affected

Immunix Affected

MandrakeSoft Affected

Red Hat Inc. Affected

SuSE Inc. Affected

The SCO Group (SCO Linux) Affected

Trustix Affected

TurboLinux Affected

Fujitsu Not Affected

OpenBSD Not Affected

Apple Computer Inc. Unknown

BSDI Unknown

Compaq Computer Corporation Unknown

Data General Unknown

Hewlett-Packard Company Unknown

IBM Unknown

NETBSD Unknown

NEXT Unknown

SGI Unknown

Sequent Unknown

Siemens Nixdorf Unknown

Sony Corporation Unknown

Sun Microsystems Inc. Unknown

The SCO Group (SCO UnixWare) Unknown

Unisys Unknown

View all 28 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Fish Stiqz for discovering this vulnerability.

This document was written by Cory F. Cohen.

Other Information

CVE IDs:	CVE-2001-0522
Severity Metric:	21.94
Date Public:	2001-05-29
Date First Published:	2001-12-10
Date Last Updated:	2003-11-05 21:29 UTC
Document Revision:	10

Software Engineering Institute

CERT Coordination Center

GnuPG format string vulnerability in do_get() in ttyio.c while prompting for a new filename

Vulnerability Note VU#403051