SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  GnuPG (Gnu Privacy Guard) Vendors:  Gnupg.org
GnuPG Interactive Mode Buffer Overflow in make_printable_string() May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017291
SecurityTracker URL:  http://securitytracker.com/id?1017291
CVE Reference:  CVE-2006-6169   (Links to External Site)
Updated:  Dec 6 2006
Original Entry Date:  Nov 28 2006
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.4.5, 2.0.0
Description:  A vulnerability was reported in GnuPG. A remote user can cause arbitrary code to be executed on the target system.

A remote user can create a specially crafted message that, when processed by the target user, will trigger a buffer overflow and potentially execute arbitrary code on the target system.

The vulnerability resides in the make_printable_string() function in 'openfile.c'.

The vulnerability can be triggered in interactive mode. Batch mode is not affected.

gpg-agent, gpgsm, gpgv, and other tools from the GnuPG suite are not affected.

The original bug report is available at:

https://bugs.g10code.com/gnupg/issue728
Impact:  A remote user may be able to cause arbitrary code to be executed on the target system.
Solution:  A fix is available via CVS. The vendor has also issued a patch.
Vendor URL:  www.gnupg.org/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Werner Koch <wk@gnupg.org>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 6 2006 (Red Hat Issues Fix) GnuPG Interactive Mode Buffer Overflow in make_printable_string() May Let Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, and 4.


 Source Message Contents
Date:  Mon, 27 Nov 2006 18:13:02 +0100
From:  Werner Koch <wk@gnupg.org>
Subject:  GnuPG 1.4 and 2.0 buffer overflow

 
--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece
Content-Transfer-Encoding: quoted-printable

            GnuPG 1.4 and 2.0 buffer overflow
           =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Summary
=3D=3D=3D=3D=3D=3D=3D

While fixing a bug reported by Hugh Warrington, a buffer overflow has
been identified in all released GnuPG versions.  The current versions
1.4.5 and 2.0.0 are affected.  A small patch is provided.

Please do not send private mail in response to this message.  The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).


Impact
=3D=3D=3D=3D=3D=3D

When running GnuPG interactively, special crafted messages may be used
to crash gpg or gpg2.  Running gpg in batch mode, as done by all
software using gpg as a backend (e.g. mailers), is not affected by
this bug.

Exploiting this overflow seems to be possible.

gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not
affected.



Solution
=3D=3D=3D=3D=3D=3D=3D=3D

Apply the following patch to GnuPG.  It should apply cleanly to
current versions (1.4.5 as well as 2.0.0) but might also work for
older versions.=20

2006-11-27  Werner Koch  <wk@g10code.com>

	* openfile.c (ask_outfile_name): Fixed buffer overflow occurring
	if make_printable_string returns a longer string.  Fixes bug 728.

=2D-- g10/openfile.c      (revision 4348)
+++ g10/openfile.c      (working copy)
@@ -144,8 +144,8 @@
=20
     s =3D _("Enter new filename");
=20
=2D    n =3D strlen(s) + namelen + 10;
     defname =3D name && namelen? make_printable_string( name, namelen, 0):=
 NULL;
+    n =3D strlen(s) + (defname?strlen (defname):0) + 10;
     prompt =3D xmalloc(n);
     if( defname )
        sprintf(prompt, "%s [%s]: ", s, defname );



Background:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug.  make_printable_string is supposed to replace
possible dangerous characters from a prompt and returns a malloced
string.  Thus this string may be longer than the orginal one; the
buffer for the prompt has only be allocated at the size of the original
string - oops.  Note, that using snprintf would not have helped in
this case.  How I wish C-90 had introduced asprintf or at least it
would be available on more platforms.

The original bug report is at https://bugs.g10code.com/gnupg/issue728 .



=3D=3D=3D
[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel .


=2D-=20
Werner Koch                                      <wk@gnupg.org>
The GnuPG Experts                                http://g10code.com
Join the Fellowship and protect your Freedom!    http://www.fsfe.org

--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1rc1 (GNU/Linux)

iEYEARECAAYFAkVrHJ4ACgkQYHhOlAEKV+3OKQCgq2DZx5xez/033RhUOUy/9ElZ
FLAAnAsIc+zYjmjvo5N8rmVtVdejeLKa
=29PW
-----END PGP SIGNATURE-----
--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC