[NEWS] GnuPG External HKP Interface Format String
From: SecuriTeam (support_at_securiteam.com)
Date: 12/03/03
- Previous message: SecuriTeam: "[UNIX] Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 3 Dec 2003 17:43:13 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GnuPG External HKP Interface Format String
------------------------------------------------------------------------
SUMMARY
GnuPG is a complete and free replacement for PGP. Because it does not use
the patented IDEA algorithm, it can be used without any restrictions.
GnuPG is a RFC2440 (OpenPGP) compliant application.
GnuPG has external HKP inteface which is marked as experimental and not
enabled by default in 1.2 stable branch and to use it you should compile
GnuPG with '--enable-external-hkp' configuration option. On 1.3 devel
branch external HKP interface is enabled by default and to disable you
should compile GnuPG with '--disable-hkp' configuration option.
When the external HKP interface is enabled, GnuPG will make use of
'gpgkeys_hkp' utility for keyserver accesses. There exists a format string
vulnerability in 'gpgkeys_hkp' utility which would allow a malicious
keyserver in the worst case to execute an arbitrary code on the user's
machine.
DETAILS
Vulnerable systems:
* GnuPG version 1.2.3
* GnuPG version 1.3.3
The offending code can be found in keyserver/gpgkeys_hkp.c:
int get_key(char *getkey)
{
int rc,gotit=0;
char search[29];
char *request;
struct http_context hd;
...
if(verbose>2)
fprintf(console,"gpgkeys: HTTP URL is \"%s\"\n",request);
rc=http_open_document(&hd,request,http_flags);
if(rc!=0)
{
fprintf(console,"gpgkeys: HKP fetch error: %s\n",
rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc));
fprintf(output,"KEY 0x%s FAILED\n",getkey);
}
else
{
unsigned int maxlen=1024,buflen;
byte *line=NULL;
while(iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen))
{
maxlen=1024;
if(gotit)
{
// S-Quadra: here is where format string bug lives
fprintf(output,line);
if(strcmp(line,"-----END PGP PUBLIC KEY BLOCK-----\n")==0)
break;
}
else
if(strcmp(line,"-----BEGIN PGP PUBLIC KEY BLOCK-----\n")==0)
{
// S-Quadra: here is where format string bug lives
fprintf(output,line);
gotit=1;
}
}
...
return 0;
}
Fix information:
S-Quadra alerted GnuPG development team to this issue on 27th November
2003. For 1.2 branch fix available in CVS, latest devel version 1.3.4 also
contains fix for the reported bug.
ADDITIONAL INFORMATION
The advisory is available at:
<http://www.s-quadra.com/advisories/Adv-20031203.txt>
http://www.s-quadra.com/advisories/Adv-20031203.txt.
The information has been provided by <mailto:research@s-quadra.com>
S-Quadra Security Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Microsoft Excel Length Parameter Parsing Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Office XP Software
(Excel 2002) ... * Microsoft Office v. X for Mac ... (Securiteam) - [EXPL] Ipswitch WhatsUp Gold Remote Buffer Overflow Exploit
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... WhatsUp Gold Remote
Buffer Overflow Vulnerability, ... print $socket "Referer: ... (Securiteam) - [NT] Microsoft Windows NTFS Improper Handler Closing
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system
shutdown, uninitialized data may be visible in files from ... (Securiteam) - [NEWS] Mac OS X Panther Screen Lock Bypass
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... tedious in actual practice
thus far. ... For the first time user actually executing anything ... (Securiteam) - [NT] Windows FTP Server Format String Vulnerability
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... Windows FTP Server,
is "a small, easy to use FTP ... First chance exceptions are reported before any exception
handling. ... (Securiteam)
