|
|
|
|
| |
| There is a format string vulnerability in GNU Privacy Guard. By sending a GPG message with a carefully crafted malicious filename, an attacker may be able to execute arbitrary code as the user who decrypts the message. |
| |
Credit:
The information has been provided by CERT/CC.
|
| |
GNU Privacy Guard (GPG) is a free, RFC2440 compliant replacement for Pretty Good Privacy (PGP).
A format string vulnerability occurs in the do_get() function in ttyio.c, where GnuPG calls tty_printf() with a user supplied format string. When GPG encounters a filename with an unknown suffix, and is not in batch mode, it prompts the user for a new filename to write the decrypted results to. The default value (which is included in the prompt) is the existing filename. Note that the file name is embedded in the encrypted message itself, and that safe file names selected by the recipient is not sufficient to protect against this attack. If the filename embedded in the message contains printf style format characters, the message creator may be able to execute arbitrary code as the user who decrypts the message.
Impact:
An attacker may be able to execute arbitrary code as the user decrypting the message.
Solution:
Apply a patch from your vendor
|
|
|
|
|
