|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1927 CVE : CVE-2006-6169 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Available : Yes Credit : Werner Koch (wk gnupg org) Published : 30.11.2006
Advisory Content : GnuPG 1.4 and 2.0 buffer overflow ================================== Summary ======= While fixing a bug reported by Hugh Warrington, a buffer overflow has been identified in all released GnuPG versions. The current versions 1.4.5 and 2.0.0 are affected. A small patch is provided. Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). Impact ====== When running GnuPG interactively, special crafted messages may be used to crash gpg or gpg2. Running gpg in batch mode, as done by all software using gpg as a backend (e.g. mailers), is not affected by this bug. Exploiting this overflow seems to be possible. gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not affected. Solution ======== Apply the following patch to GnuPG. It should apply cleanly to current versions (1.4.5 as well as 2.0.0) but might also work for older versions. 2006-11-27 Werner Koch <wk (at) g10code (dot) com [email concealed]> * openfile.c (ask_outfile_name): Fixed buffer overflow occurring if make_printable_string returns a longer string. Fixes bug 728. --- g10/openfile.c (revision 4348) +++ g10/openfile.c (working copy) @@ -144,8 +144,8 @@ s = _("Enter new filename"); - n = strlen(s) + namelen + 10; defname = name && namelen? make_printable_string( name, namelen, 0): NULL; + n = strlen(s) + (defname?strlen (defname):0) + 10; prompt = xmalloc(n); if( defname ) sprintf(prompt, "%s [%s]: ", s, defname ); Background: =========== The code in question has been introduced on July 1, 1999 and is a pretty obvious bug. make_printable_string is supposed to replace possible dangerous characters from a prompt and returns a malloced string. Thus this string may be longer than the orginal one; the buffer for the prompt has only be allocated at the size of the original string - oops. Note, that using snprintf would not have helped in this case. How I wish C-90 had introduced asprintf or at least it would be available on more platforms. The original bug report is at https://bugs.g10code.com/gnupg/issue728 . === [1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel . -- Werner Koch <wk (at) gnupg (dot) org [email concealed]> The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1rc1 (GNU/Linux) iEYEARECAAYFAkVrHJ4ACgkQYHhOlAEKV+3OKQCgq2DZx5xez/033RhUOUy/9ElZ FLAAnAsIc+zYjmjvo5N8rmVtVdejeLKa =29PW -----END PGP SIGNATURE-----  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |