Your message dated Tue, 20 Feb 2007 01:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#401913: fixed in gnupg2 2.0.2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: gnupg2
Version: 1.9.15-4
Severity: grave
Tags: security
Justification: user security hole
http://lwn.net/Articles/212909/
From: Werner Koch <wk-AT-g10code.com>
To: bugtraq-AT-securityfocus.com
Subject: GnuPG: remotely controllable function pointer [CVE-2006-6235]
Date: Wed, 06 Dec 2006 16:58:16 +0100
Cc: lwn-AT-lwn.net
GnuPG: remotely controllable function pointer [CVE-2006-6235]
===============================================================
2006-12-04
Summary
=======
Tavis Ormandy of the Gentoo security team identified a severe and
exploitable bug in the processing of encrypted packets in GnuPG.
[ Please do not send private mail in response to this message. The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]). ]
Impact
======
Using malformed OpenPGP packets an attacker is able to modify and
dereference a function pointer in GnuPG. This is a remotely
exploitable bug and affects any use of GnuPG where an attacker can
control the data processed by GnuPG. It is not necessary limited to
encrypted data, also signed data may be affected.
Affected versions: All versions of GnuPG < 1.4.6
All versions of GnuPG-2 < 2.0.2
All beta versions of GnuPG-2 (1.9.0 .. 1.9.95)
Affected tools: gpg, gpgv, gpg2 and gpgv2.
Affected platforms: All.
gpg-agent, gpgsm as well as other tools are not affected.
A workaround is not known.
Solution
========
If you are using a vendor supplied version of GnuPG:
* Wait for an update from your vendor. Vendors have been informed on
Saturday December 2, less than a day after this bug has been reported.
If you are using GnuPG 1.4:
* Update as soon as possible to GnuPG 1.4.6. It has been uploaded to
the usual location: ftp://ftp.gnupg.org/gcrypt/gnupg/. This version
was due to be released anyway this week. See
http://www.gnupg.org/download/ for details.
* Or: As another and less intrusive option, apply the attached patch
to GnuPG 1.4.5. This is the smallest possible fix.
If you are using GnuPG 2.0:
* Apply the attached patch against GnuPG 2.0.1.
* Or: Stop using gpg2 and gpgv2, install GnuPG 1.4.6 and use gpg and gpgv
instead.
If you are using a binary Windows version of GnuPG:
* A binary version of GnuPG 1.4.6 for Windows is available as usual.
* Gpg4win 1.0.8, including GnuPG 1.4.6, is available. Please go to
http://www.gpg4win.org .
Background
==========
GnuPG uses data structures called filters to process OpenPGP messages.
These filters ware used in a similar way as a pipelines in the shell.
For communication between these filters context structures are used.
These are usually allocated on the stack and passed to the filter
functions. At most places the OpenPGP data stream fed into these
filters is closed before the context structure gets deallocated.
While decrypting encrypted packets, this may not happen in all cases
and the filter may use a void contest structure filled with garbage.
An attacker may control this garbage. The filter context includes
another context used by the low-level decryption to access the
decryption algorithm. This is done using a function pointer. By
carefully crafting an OpenPGP message, an attacker may control this
function pointer and call an arbitrary function of the process.
Obviously an exploit needs to prepared for a specific version,
compiler, libc, etc to be successful - but it is definitely doable.
Fixing this is obvious: We need to allocate the context on the heap
and use a reference count to keep it valid as long as either the
controlling code or the filter code needs it.
We have checked all other usages of such a stack based filter contexts
but fortunately found no other vulnerable places. This allows to
release a relatively small patch. However, for reasons of code
cleanness and easier audits we will soon start to change all these
stack based filter contexts to heap based ones.
Support
=======
g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's
principal author, is currently funding GnuPG development. As evident
by the two vulnerabilities found within a week, a review of the entire
code base should be undertaken as soon as possible. As maintainers we
try to do our best and are working slowly through the code. The long
standing plan is to scrutinize the 2.0 code base, write more test
cases and to backport new fixes and cleanups to 1.4. However, as a
small company our resources are limited and we need to prioritize
other projects which get us actual revenues. Support contracts or
other financial backing would greatly help us to improve the quality
of GnuPG.
Thanks
======
Tavis Ormandy found this vulnerability.
[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel .
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.32-debian13+bluesmoke+lm85
Locale: LANG=pt_BR.ISO-8859-1, LC_CTYPE=pt_BR.ISO-8859-1 (charmap=ISO-8859-1)
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.0.2-1
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive:
gnupg-agent_2.0.2-1_i386.deb
to pool/main/g/gnupg2/gnupg-agent_2.0.2-1_i386.deb
gnupg2_2.0.2-1.diff.gz
to pool/main/g/gnupg2/gnupg2_2.0.2-1.diff.gz
gnupg2_2.0.2-1.dsc
to pool/main/g/gnupg2/gnupg2_2.0.2-1.dsc
gnupg2_2.0.2-1_i386.deb
to pool/main/g/gnupg2/gnupg2_2.0.2-1_i386.deb
gnupg2_2.0.2.orig.tar.gz
to pool/main/g/gnupg2/gnupg2_2.0.2.orig.tar.gz
gpgsm_2.0.2-1_i386.deb
to pool/main/g/gnupg2/gpgsm_2.0.2-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <[EMAIL PROTECTED]> (supplier of updated gnupg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Feb 2007 20:34:52 -0500
Source: gnupg2
Binary: gnupg2 gpgsm gnupg-agent
Architecture: source i386
Version: 2.0.2-1
Distribution: unstable
Urgency: high
Maintainer: Eric Dorland <[EMAIL PROTECTED]>
Changed-By: Eric Dorland <[EMAIL PROTECTED]>
Description:
gnupg-agent - GNU privacy guard - password agent
gnupg2 - GNU privacy guard - a free PGP replacement
gpgsm - GNU privacy guard - S/MIME version
Closes: 400777 401895 401913 409559
Changes:
gnupg2 (2.0.2-1) unstable; urgency=high
.
* New upstream release. (Closes: #409559)
* Thanks Andreas Barth for NMUs. (Closes: #400777, #401895, #401913)
* debian/gpgsm.install: pcsc-wrapper renamed to gnupg-pcsc-wrapper.
Files:
8dc89e59c887eca0f60451d3322533e2 854 utils optional gnupg2_2.0.2-1.dsc
228841783d8923857a08938488449025 5418412 utils optional
gnupg2_2.0.2.orig.tar.gz
5c3075707132afc8ec5cd123cee229cc 41293 utils optional gnupg2_2.0.2-1.diff.gz
3da49c109bf12e0b4aeb00b8898bd809 206342 utils optional
gnupg-agent_2.0.2-1_i386.deb
31360a8f04e149a9f40dcb50468b437c 341710 utils optional gpgsm_2.0.2-1_i386.deb
3dccdc07b279a2c41111d03431be1838 992744 utils extra gnupg2_2.0.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF2lJYYemOzxbZcMYRAsCHAKCuKy584lE+Mjjt/28y2R5zV3XFEwCeP+uZ
vPsYRHDfue5KTeuUwtsweI4=
=SLli
-----END PGP SIGNATURE-----
--- End Message ---
