linux, säkerhet

6599885 2001-06-08 12:17 -0600  /149 rader/ Caldera Support Information <sup-info@opus.caldera.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-09  00:53  av Brevbäraren
Extern mottagare: announce@lists.caldera.com
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: linux-security@redhat.com
Extern mottagare: linuxlist@securityportal.com
Mottagare: Bugtraq (import) <17337>
Ärende: [CSSA-2001-020.0] Format bug in gnupg
------------------------------------------------------------
From: Caldera Support Information <sup-info@opus.caldera.com>
To: announce@lists.caldera.com, bugtraq@securityfocus.com,
 linux-security@redhat.com, linuxlist@securityportal.com
Message-ID: <20010608121723.A2166@opus.caldera.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		format bug in gnupg
Advisory number: 	CSSA-2001-020.0
Issue date: 		2001 June, 08
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a format string problem in the printing of filenames of
   GnuPG. It is possible that a remote attacker creates a mailmessage
   that when opened with a mailprogram exploits the problem and
   allows the attacker to gain access to the users account.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3		All packages previous to
   				gnupg-1.0.6-1

   OpenLinux eServer 2.3.1      All packages previous to
   and OpenLinux eBuilder  	gnupg-1.0.6-1

   OpenLinux eDesktop 2.4       All packages previous to
   				gnupg-1.0.6-1

3. Solution

   Workaround

      none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
   
   4.2 Verification

       c34cd4d1c2de4caebdb52b6057752127  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv gnu*.i386.rpm

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       d8c6d2f3ca54e5e677b8bec6b5089687  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fvh gnu*i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       f4931404eab64b6365b4abba69a42ef4  RPMS/gnupg-1.0.6-1.i386.rpm
       46b5360e1f2ea45681b95a6c3b1bb34f  SRPMS/gnupg-1.0.6-1.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

           rpm -Fvh gnu*i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10044.

8. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through
   our security advisories. Our advisories are a service to our
   customers intended to promote secure installation and use of
   Caldera OpenLinux.

9. Acknowledgements:

   Caldera International wishes to thank Synnergy Networks for
   reporting the problem and the GnuPG folks for providing a fixed
   version.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7II/m18sy83A/qfwRAvyKAJ0TvawBBR3HBslME92rcn/DclhmNgCeIDT5
MA+sDumHyurAAAO2+f2wiV8=
=yzto
-----END PGP SIGNATURE-----

(6599885) /Caldera Support Information <sup-info@opus.caldera.com>/(Ombruten)