Overview
Some versions of Gnu Privacy Guard (GPG) contain a format-string vulnerability from improper handling of filenames when decrypting files.
Description
GPG is an OpenPGP-compliant alternative to PGP to protect electronic communications using public-key cryptography. Versions of GPG prior to 1.0.6 contain a format-string vulnerability. The GPG source includes a function named tty_printf(), which expects as parameters -- much like the standard C library function printf() -- a format string followed by data values as indicated in the format string. The do_get() function in file util/ttyio.c of the GPG source code makes a call to tty_printf(), passing the filename as the format string instead of passing a constant format string followed by a pointer to the filename. |
Impact
Attackers can craft a filename for an encrypted file that will cause GPG to execute arbitrary code when the file is decrypted by the recipient, with the privileges of the recipient user. |
Solution
Upgrade GPG to version 1.0.6, available from: |
Until a patch can be applied, do not decrypt messages from untrusted sources with GPG. |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
Acknowledgements
Thanks to fish stiqz for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
CVE IDs: | CVE-2001-0522 |
Severity Metric: | 5.83 |
Date Public: | 2001-05-29 |
Date First Published: | 2002-03-29 |
Date Last Updated: | 2002-03-29 22:59 UTC |
Document Revision: | 9 |