[gentoo-announce] GLSA: gnupg (200312-05) - gentoo-announce

From:	Rajiv Aaron Manglani <rajiv@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] GLSA: gnupg (200312-05)
Date:	Fri, 12 Dec 2003 02:12:30
Message-Id:	`a05210600bbff26ce5649@[10.96.0.12]`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

5

- --------------------------------------------------------------------------

6

GENTOO LINUX SECURITY ANNOUNCEMENT 200312-05

7

- --------------------------------------------------------------------------

8

9

GLSA:        200312-05

10

Package:     app-crypt/gnupg

11

Summary:     GnuPG ElGamal signing keys compromised and

12

                format string vulnerability

13

Severity:    minimal

14

Gentoo bug:  34504, 35639

15

Date:        2003-12-12

16

CVE:         CAN-2003-0971, CAN-2003-0978

17

Exploit:     unknown

18

Affected:    <=1.2.3-r4

19

Fixed:       >=1.2.3-r5

20

21

22

DESCRIPTION:

23

24

Two flaws have been found in GnuPG 1.2.3.

25

26

First, ElGamal signing keys can be compromised. These keys are not

27

commonly used. Quote from

28

<http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>:

29

30

   "Phong Nguyen identified a severe bug in the way GnuPG creates and

31

   uses ElGamal keys for signing. This is a significant security

32

   failure which can lead to a compromise of almost all ElGamal keys

33

   used for signing. Note that this is a real world vulnerability

34

   which will reveal your private key within a few seconds."

35

36

Second, there is a format string flaw in the 'gpgkeys_hkp' utility

37

which "would allow a malicious keyserver in the worst case to execute

38

an arbitrary code on the user's machine." See

39

<http://www.s-quadra.com/advisories/Adv-20031203.txt> for

40

details.

41

42

43

SOLUTION:

44

45

All users who have created ElGamal signing keys should immediately

46

revoke them. Then, all Gentoo Linux machines with gnupg installed

47

should be updated to use gnupg-1.2.3-r5 or higher.

48

49

        emerge sync

50

        emerge -pv '>=app-crypt/gnupg-1.2.3-r5'

51

        emerge '>=app-crypt/gnupg-1.2.3-r5'

52

        emerge clean

53

54

55

// end

56

57

-----BEGIN PGP SIGNATURE-----

58

Version: GnuPG v1.2.3 (Darwin)

59

60

iD8DBQE/2XUCnt0v0zAqOHYRAlrEAJwNpCuOGrcBcjKnC/c/F3AOxsTX3gCfU9ah

61

0gaONEybmmq0x4/vJheoXwg=

62

=F5DR

63

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4
5	- --------------------------------------------------------------------------
6	GENTOO LINUX SECURITY ANNOUNCEMENT 200312-05
7	- --------------------------------------------------------------------------
8
9	GLSA: 200312-05
10	Package: app-crypt/gnupg
11	Summary: GnuPG ElGamal signing keys compromised and
12	format string vulnerability
13	Severity: minimal
14	Gentoo bug: 34504, 35639
15	Date: 2003-12-12
16	CVE: CAN-2003-0971, CAN-2003-0978
17	Exploit: unknown
18	Affected: <=1.2.3-r4
19	Fixed: >=1.2.3-r5
20
21
22	DESCRIPTION:
23
24	Two flaws have been found in GnuPG 1.2.3.
25
26	First, ElGamal signing keys can be compromised. These keys are not
27	commonly used. Quote from
28	<http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>:
29
30	"Phong Nguyen identified a severe bug in the way GnuPG creates and
31	uses ElGamal keys for signing. This is a significant security
32	failure which can lead to a compromise of almost all ElGamal keys
33	used for signing. Note that this is a real world vulnerability
34	which will reveal your private key within a few seconds."
35
36	Second, there is a format string flaw in the 'gpgkeys_hkp' utility
37	which "would allow a malicious keyserver in the worst case to execute
38	an arbitrary code on the user's machine." See
39	<http://www.s-quadra.com/advisories/Adv-20031203.txt> for
40	details.
41
42
43	SOLUTION:
44
45	All users who have created ElGamal signing keys should immediately
46	revoke them. Then, all Gentoo Linux machines with gnupg installed
47	should be updated to use gnupg-1.2.3-r5 or higher.
48
49	emerge sync
50	emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
51	emerge '>=app-crypt/gnupg-1.2.3-r5'
52	emerge clean
53
54
55	// end
56
57	-----BEGIN PGP SIGNATURE-----
58	Version: GnuPG v1.2.3 (Darwin)
59
60	iD8DBQE/2XUCnt0v0zAqOHYRAlrEAJwNpCuOGrcBcjKnC/c/F3AOxsTX3gCfU9ah
61	0gaONEybmmq0x4/vJheoXwg=
62	=F5DR
63	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce