The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of GnuPG: injection of unsigned data

Synthesis of the vulnerability 

An attacker can for example insert data before the signed data, but GnuPG does not detect the change.
Impacted products: Debian, Fedora, GnuPG, Mandriva Linux, Mandriva NF, openSUSE, RHEL, RedHat Linux, Slackware.
Severity of this bulletin: 3/4.
Creation date: 10/03/2006.
Références of this threat: 20060401-01-U, BID-17058, CERTA-2006-AVI-103, CVE-2006-0049, DSA-993-1, DSA-993-2, FEDORA-2006-147, FLSA:185355, FLSA-2006:185355, MDKSA-2006:055, RHSA-2006:026, RHSA-2006:0266-01, SSA:2006-072-02, SUSE-SA:2006:014, VIGILANCE-VUL-5679.

Description of the vulnerability 

A signed message is generally composed of "O + D + S":
 - O: "One-Pass" (version, signature type, etc.)
 - D: data
 - S: signature of D
However, in order to support various historic formats, GnuPG also recognizes:
 - S + D
 - D + S
 - O1 + D1 + S1 + O2 + D2 + S2 (two concatenated signed messages)

An attacker can construct following message :
  attacker_data + O + D + S
In this case, GnuPG checks S the signature of D, but real data is "attacker_data + D". This data is for example returned by "--output" option.

An attacker can therefore, from a captured signed message, construct a new message, which will be validated by GnuPG.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness alert impacts software or systems such as Debian, Fedora, GnuPG, Mandriva Linux, Mandriva NF, openSUSE, RHEL, RedHat Linux, Slackware.

Our Vigil@nce team determined that the severity of this weakness note is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this weakness bulletin.

Solutions for this threat 

GnuPG: version 1.4.2.2.
Version 1.4.2.2 is corrected:
  http://www.gnupg.org/download/
  http://www.gnupg.org/mirrors.html

Debian: new gnupg packages.
New packages are available:
Debian GNU/Linux 3.0 alias woody
  Intel IA-32 architecture:
    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_i386.deb
      Size/MD5 checksum: 966800 52e985fbb5e9bcd7baa320c549b7b70c
  Intel IA-64 architecture:
    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_ia64.deb
      Size/MD5 checksum: 1271958 27317f852e24ce3784ec62aec0860c6a
Debian GNU/Linux 3.1 alias sarge
  Intel IA-32 architecture:
    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_i386.deb
      Size/MD5 checksum: 1908754 cd9c2257b8c7149a92131abbdaef498c
  Intel IA-64 architecture:
    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_ia64.deb
      Size/MD5 checksum: 2324736 3553c75fac7cdc0a7d157c20aad4525c

Fedora: new gnupg packages.
New packages are available:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
399347d86a34ec777de3fa46a8931774bf425679 SRPMS/gnupg-1.4.2.2-1.src.rpm
a42396ca1e3828f725c903f3a38a03096bea3e91 ppc/gnupg-1.4.2.2-1.ppc.rpm
d080a2ac636e7200970f7bca2cde0897d9949910 ppc/debug/gnupg-debuginfo-1.4.2.2-1.ppc.rpm
5f0cb70184126988f240c3487fe38ed37bae0df6 x86_64/gnupg-1.4.2.2-1.x86_64.rpm
bc935e3520882a6461ddb27318fa909ebd9d47b4 x86_64/debug/gnupg-debuginfo-1.4.2.2-1.x86_64.rpm
fa64b2b2645982e7abe49a2ca0ae85c899d65eff i386/gnupg-1.4.2.2-1.i386.rpm
8c146199cc14d0dbfaebbc2c4b8fbeb17e9589f1 i386/debug/gnupg-debuginfo-1.4.2.2-1.i386.rpm

Mandriva: new gnupg packages.
New packages are available:
 
 Mandriva Linux 10.2:
 78bc5edadc4c09cc79301e92e769792b 10.2/RPMS/gnupg-1.4.2.2-0.1.102mdk.i586.rpm
 a64138f15d9d24c9fd342a9d58739629 10.2/SRPMS/gnupg-1.4.2.2-0.1.102mdk.src.rpm
 Mandriva Linux 10.2/X86_64:
 921557b980e6831d91f67c1be03ff221 x86_64/10.2/RPMS/gnupg-1.4.2.2-0.1.102mdk.x86_64.rpm
 a64138f15d9d24c9fd342a9d58739629 x86_64/10.2/SRPMS/gnupg-1.4.2.2-0.1.102mdk.src.rpm
 Mandriva Linux 2006.0:
 ff09cfa3b8f71b9e5ddf4a7639696b9d 2006.0/RPMS/gnupg-1.4.2.2-0.1.20060mdk.i586.rpm
 22b6b9305f47570652dc276cf8f18401 2006.0/SRPMS/gnupg-1.4.2.2-0.1.20060mdk.src.rpm
 Mandriva Linux 2006.0/X86_64:
 388c4bca33be3cccb9a44e87b1a34964 x86_64/2006.0/RPMS/gnupg-1.4.2.2-0.1.20060mdk.x86_64.rpm
 22b6b9305f47570652dc276cf8f18401 x86_64/2006.0/SRPMS/gnupg-1.4.2.2-0.1.20060mdk.src.rpm
 Corporate 3.0:
 cd7fbec4de29eabcc31fdeb90e05f674 corporate/3.0/RPMS/gnupg-1.4.2.2-0.1.C30mdk.i586.rpm
 54fa6da091d1124b661a9fbc4f21abe1 corporate/3.0/SRPMS/gnupg-1.4.2.2-0.1.C30mdk.src.rpm
 Corporate 3.0/X86_64:
 f43a3a505f7874324542f16398243786 x86_64/corporate/3.0/RPMS/gnupg-1.4.2.2-0.1.C30mdk.x86_64.rpm
 54fa6da091d1124b661a9fbc4f21abe1 x86_64/corporate/3.0/SRPMS/gnupg-1.4.2.2-0.1.C30mdk.src.rpm
 Multi Network Firewall 2.0:
 3a998c3c9451bba3ac118df3a8b74955 mnf/2.0/RPMS/gnupg-1.4.2.2-0.1.M20mdk.i586.rpm
 18cfe29d05e64e08c77bab8683517798 mnf/2.0/SRPMS/gnupg-1.4.2.2-0.1.M20mdk.src.rpm

Red Hat Linux, Fedora Core: new gnupg packages.
New packages are available:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gnupg-1.0.7-13.3.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gnupg-1.0.7-13.3.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gnupg-1.2.1-9.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gnupg-1.2.1-9.2.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gnupg-1.2.3-2.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gnupg-1.2.3-2.2.legacy.i386.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gnupg-1.2.4-2.3.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/gnupg-1.2.4-2.3.legacy.i386.rpm
Fedora Core 3:
SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gnupg-1.2.7-1.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/gnupg-1.2.7-1.2.legacy.i386.rpm
x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnupg-1.2.7-1.2.legacy.x86_64.rpm

RHEL 3: new gnupg packages.
New packages are available:
Red Hat Enterprise Linux version 2.1: gnupg-1.0.7-16
Red Hat Enterprise Linux version 3: gnupg-1.2.1-15
Red Hat Enterprise Linux version 4: gnupg-1.2.6-3

SGI ProPack 3 SP6: new cdrtools, gdb, gnupg, initscripts, mailman, python, sendmail, squid, vixie-cron packages.
Patch 10291 is available:
  http://support.sgi.com/
New packages are also available:
  ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS
  ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS

Slackware: new gnupg packages.
New packages are available:
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/gnupg-1.4.2.2-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/gnupg-1.4.2.2-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/gnupg-1.4.2.2-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/gnupg-1.4.2.2-i486-1.tgz
Updated package for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/gnupg-1.4.2.2-i486-1.tgz

SUSE: new gpg packages.
New packages are available:
   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/gpg-1.4.2-5.4.i586.rpm
         17f4db7313fb81477d491cd1de3b4a7c
   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/gpg-1.4.0-4.4.i586.rpm
         781a1f6ee507960c3b7f5ab7b09aae01
   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/gpg-1.2.5-3.6.i586.rpm
         0ac37c5097314b9d65fe3c00552991ba
   SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpg-1.2.4-68.13.i586.rpm
         2436ccc119ac1af98928536d2b968a3a
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability alert. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.