GLSA: gnupg (200312-05)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: GLSA: gnupg (200312-05)
From: Rajiv Aaron Manglani <rajiv@xxxxxxxxxx>
Date: Fri, 12 Dec 2003 03:14:26 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-05
- --------------------------------------------------------------------------

GLSA:        200312-05
Package:     app-crypt/gnupg
Summary:     GnuPG ElGamal signing keys compromised and
                format string vulnerability
Severity:    minimal
Gentoo bug:  34504, 35639
Date:        2003-12-12
CVE:         CAN-2003-0971, CAN-2003-0978
Exploit:     unknown
Affected:    <=1.2.3-r4
Fixed:       >=1.2.3-r5


DESCRIPTION:

Two flaws have been found in GnuPG 1.2.3.

First, ElGamal signing keys can be compromised. These keys are not
commonly used. Quote from
<http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>:

   "Phong Nguyen identified a severe bug in the way GnuPG creates and
   uses ElGamal keys for signing. This is a significant security
   failure which can lead to a compromise of almost all ElGamal keys
   used for signing. Note that this is a real world vulnerability
   which will reveal your private key within a few seconds."

Second, there is a format string flaw in the 'gpgkeys_hkp' utility
which "would allow a malicious keyserver in the worst case to execute
an arbitrary code on the user's machine." See
<http://www.s-quadra.com/advisories/Adv-20031203.txt> for
details.


SOLUTION:

All users who have created ElGamal signing keys should immediately
revoke them. Then, all Gentoo Linux machines with gnupg installed
should be updated to use gnupg-1.2.3-r5 or higher.

        emerge sync
        emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
        emerge '>=app-crypt/gnupg-1.2.3-r5'
        emerge clean


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/2XUCnt0v0zAqOHYRAlrEAJwNpCuOGrcBcjKnC/c/F3AOxsTX3gCfU9ah
0gaONEybmmq0x4/vJheoXwg=
=F5DR
-----END PGP SIGNATURE-----

Prev by Date: Re: A new TCP/IP blind data injection technique?
Next by Date: eZ and eZphotoshare fixes
Previous by thread: Finjan Software Discovers a New Critical Vulnerability In Yahoo E-mail Service
Next by thread: eZ and eZphotoshare fixes
Index(es):
- Date
- Thread