1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
- -------------------------------------------------------------------------- |
6 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-05 |
7 |
- -------------------------------------------------------------------------- |
8 |
|
9 |
GLSA: 200312-05 |
10 |
Package: app-crypt/gnupg |
11 |
Summary: GnuPG ElGamal signing keys compromised and |
12 |
format string vulnerability |
13 |
Severity: minimal |
14 |
Gentoo bug: 34504, 35639 |
15 |
Date: 2003-12-12 |
16 |
CVE: CAN-2003-0971, CAN-2003-0978 |
17 |
Exploit: unknown |
18 |
Affected: <=1.2.3-r4 |
19 |
Fixed: >=1.2.3-r5 |
20 |
|
21 |
|
22 |
DESCRIPTION: |
23 |
|
24 |
Two flaws have been found in GnuPG 1.2.3. |
25 |
|
26 |
First, ElGamal signing keys can be compromised. These keys are not |
27 |
commonly used. Quote from |
28 |
<http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>: |
29 |
|
30 |
"Phong Nguyen identified a severe bug in the way GnuPG creates and |
31 |
uses ElGamal keys for signing. This is a significant security |
32 |
failure which can lead to a compromise of almost all ElGamal keys |
33 |
used for signing. Note that this is a real world vulnerability |
34 |
which will reveal your private key within a few seconds." |
35 |
|
36 |
Second, there is a format string flaw in the 'gpgkeys_hkp' utility |
37 |
which "would allow a malicious keyserver in the worst case to execute |
38 |
an arbitrary code on the user's machine." See |
39 |
<http://www.s-quadra.com/advisories/Adv-20031203.txt> for |
40 |
details. |
41 |
|
42 |
|
43 |
SOLUTION: |
44 |
|
45 |
All users who have created ElGamal signing keys should immediately |
46 |
revoke them. Then, all Gentoo Linux machines with gnupg installed |
47 |
should be updated to use gnupg-1.2.3-r5 or higher. |
48 |
|
49 |
emerge sync |
50 |
emerge -pv '>=app-crypt/gnupg-1.2.3-r5' |
51 |
emerge '>=app-crypt/gnupg-1.2.3-r5' |
52 |
emerge clean |
53 |
|
54 |
|
55 |
// end |
56 |
|
57 |
-----BEGIN PGP SIGNATURE----- |
58 |
Version: GnuPG v1.2.3 (Darwin) |
59 |
|
60 |
iD8DBQE/2XUCnt0v0zAqOHYRAlrEAJwNpCuOGrcBcjKnC/c/F3AOxsTX3gCfU9ah |
61 |
0gaONEybmmq0x4/vJheoXwg= |
62 |
=F5DR |
63 |
-----END PGP SIGNATURE----- |