search menu icon-carat-right cmu-wordmark

CERT Coordination Center

GnuPG vulnerable to remote data control

Vulnerability Note VU#427009

Original Release Date: 2006-12-18 | Last Revised: 2007-02-06

Overview

A vulnerability in GnuPG could allow a remote attacker to execute arbitrary code on an affected system.

Description

GNU Privacy Guard (GnuPG) is the GNU project's implementation of the OpenPGP standard as defined by RFC2440.

OpenPGP messages are processed by GnuPG using data structures called filters that are used in a way similar to pipelines in the shell. Context structures that are usually allocated on the stack and passed to the filter functions are used for communications between these filters. Before the context structure gets deallocated, the OpenPGP data stream that is fed into the filters is closed. In some cases, while decrypting encrypted packets, this may not happen and the filter may use a void context structure filled with garbage that is under the attacker's control. Another context is included in the filter context for use by the low-level decryption. The decryption algorithm is accessed by this context via a function pointer.

According to GnuPG:
Using malformed OpenPGP packets an attacker is able to modify and dereference a function pointer in GnuPG.

The GnuPG advisory notes that both encrypted and signed data could be used as attack vectors for this vulnerability.

Impact

A remote, unauthenticated attacker with the ability to supply specially crafted OpenPGP packets to a vulnerable version of GnuPG may be able to execute arbitrary code on an affected system. The attacker-supplied code would be executed with the privileges of the user or application invoking gpg.

Solution

Apply a patch or upgrade

Patches have been released to address this issue. Please see the Systems Affected section of this document for more details on specific vendors.

Users who compile GnuPG from the original distribution are encouraged to upgrade to version 1.4.6 (or later) or apply the patch to upgrade from 1.4.5 to 1.4.6.


Run with limited privileges

Running GnuPG with reduced privileges may help mitigate the effects of this vulnerability. Note that this workaround will not prevent exploitation.

Vendor Information

427009
 

Debian GNU/Linux Affected

Notified:  December 18, 2006 Updated: December 21, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Debian Security Advisory dsa-1231.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Notified:  December 18, 2006 Updated: December 21, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Gentoo Linux Security Advisory GLSA 200612-03.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GnuPG Affected

Notified:  December 07, 2006 Updated: December 07, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The GnuPG development team has published GnuPG version 1.4.6 in response to this issue. Users who compile GnuPG from the original distribution are encouraged to upgrade to this version (or later) or apply the patch to upgrade from 1.4.5 to 1.4.6.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. Affected

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Affected

Vendor Statement

Mandriva has correct this issue with updated packages via advisory MDKSA-2006:228 (http://www.mandriva.com/security/advisories?name=MDKSA-2006:228)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenPKG Affected

Updated:  December 21, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to OpenPKG Security Advisory 2006.037.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Affected

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Affected

Vendor Statement

We have fixed this GnuPG vulnerability in Openwall GNU/*/Linux current as of 2006/12/06 and in 2.0-stable as of 2006/12/07.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Affected

Updated:  December 07, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat has published Red Hat Security Advisory RHSA-2006:0754 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Affected

Notified:  December 18, 2006 Updated: December 19, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to SUSE Security Summary Report SUSE-SR:2006:028.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc. Affected

Updated:  December 21, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Slackware security team has published Slackware Security Advisory SSA:2006-340-01 in response to this issue. Users are encouraged to review this response and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux Affected

Updated:  December 11, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Trustix Secure Linux Security Advisory #2006-0070 for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu Affected

Updated:  December 07, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Ubuntu security team has published Ubuntu Security Notice USN-393-1 in response to this issue. Users are encouraged to review this notice and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

rPath Affected

Updated:  December 07, 2006

Status

Affected

Vendor Statement

rPath Security Advisory: 2006-0227-1
Published: 2006-12-06
Products: rPath Linux 1
Rating: Severe
Exposure Level Classification:
Indirect Deterministic Privilege Escalation
Updated Versions:
gnupg=/conary.rpath.com@rpl:devel//1/1.4.6-0.1-

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235
https://issues.rpath.com/browse/RPL-835

Description:
Previous versions of the gnupg package will execute attacker-provided
code found in intentionally malformed OpenPGP packets. This allows an
attacker to run arbitrary code as the user invoking gpg on the file
that contains the malformed packets.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. Not Affected

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Not Affected

Notified:  December 18, 2006 Updated: December 21, 2006

Status

Not Affected

Vendor Statement

Sun does not ship GnuPG with Solaris and thus Solaris is not directly impacted by this issue. If a vulnerable version of GnuPG has been built and/or installed on a Solaris system then GnuPG will need to be updated to address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation) Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified:  December 18, 2006 Updated: December 18, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 43 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This issue was publicly reported by Werner Koch of the GnuPG project who, in turn, credits Tavis Ormandy of the Gentoo Security Team with its discovery.

This document was written by Chad R Dougherty and Chris Taschner.

Other Information

CVE IDs: CVE-2006-6235
Severity Metric: 9.11
Date Public: 2006-12-06
Date First Published: 2006-12-18
Date Last Updated: 2007-02-06 20:46 UTC
Document Revision: 44

Sponsored by CISA.