[security-alerts] FW: [SA23094] GnuPG "make_printable_string()" Buffer Overflow Vulnerability

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> ----------------------------------------------------------------------
> 
> TITLE:
> GnuPG "make_printable_string()" Buffer Overflow Vulnerability
> 
> SECUNIA ADVISORY ID:
> SA23094
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/23094/
> 
> CRITICAL:
> Moderately critical
> 
> IMPACT:
> System access
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> GnuPG / gpg 1.4.x
> http://secunia.com/product/8087/
> GnuPG / gpg 1.3.x
> http://secunia.com/product/2591/
> GnuPG / gpg 1.2.x
> http://secunia.com/product/309/
> GnuPG / gpg 1.0.x
> http://secunia.com/product/2573/
> GnuPG / gpg 2.x
> http://secunia.com/product/12760/
> 
> DESCRIPTION:
> Hugh Warrington has reported a vulnerability in GnuPG, which
> potentially can be exploited by malicious people to compromise a
> user's system.
> 
> The vulnerability is caused due to a boundary error in the
> "ask_outfile_name()" function in openfile.c, because the
> "make_printable_string()" function can return a string longer than
> the expected "NAMELEN". This can be exploited to cause a buffer
> overflow by e.g. tricking a user into processing a specially crafted
> file using the interactive mode.
> 
> Successful exploitation may allow the execution of arbitrary code,
> but requires that the interactive mode is used. Applications using
> the batch mode (e.g. most e-mail clients) are not affected.
> 
> The vulnerability is reported in version 1.4.5 and 2.0.0. Other
> versions may also be affected.
> 
> SOLUTION:
> Apply patch.
> http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANC
H-1-4/g10/openfile.c?rev=4349&r1=4215&r2=4349
> 
> PROVIDED AND/OR DISCOVERED BY:
> Hugh Warrington
> 
> ORIGINAL ADVISORY:
> http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html
>