[UNIX] GnuPG Format String Vulnerability in ttyio.c's do_get()

From: support@securiteam.com
Date: 12/17/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 17 Dec 2001 01:49:10 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  GnuPG Format String Vulnerability in ttyio.c's do_get()
------------------------------------------------------------------------

SUMMARY

There is a format string vulnerability in GNU Privacy Guard. By sending a
GPG message with a carefully crafted malicious filename, an attacker may
be able to execute arbitrary code as the user who decrypts the message.

DETAILS

GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for
Pretty Good Privacy (PGP).

A format string vulnerability occurs in the do_get() function in ttyio.c,
where GnuPG calls tty_printf() with a user supplied format string. When
GPG encounters a filename with an unknown suffix, and is not in batch
mode, it prompts the user for a new filename to write the decrypted
results to. The default value (which is included in the prompt) is the
existing filename. Note that the file name is embedded in the encrypted
message itself, and that safe file names selected by the recipient is not
sufficient to protect against this attack. If the filename embedded in the
message contains printf style format characters, the message creator may
be able to execute arbitrary code as the user who decrypts the message.

Impact:
An attacker may be able to execute arbitrary code as the user decrypting
the message.

Solution:
Apply a patch from your vendor

ADDITIONAL INFORMATION

The information has been provided by
<mailto:cert@cert.org?Subject=VU%23403051 Feedback> CERT/CC.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.