-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
___________________________________________________________________________
Turbolinux Security Announcement
Package: gnupg
Vulnerable Packages: All Turbolinux versions previous to 1.0.6-1
Date: 06/21/2001 5:00 PDT
Affected Turbolinux platforms: TL 6.5 Server,
TL 6.1 Workstation,
All Turbolinux versions
6.0.5 and earlier
Turbolinux Advisory ID#: TLSA2001028
References: http://www.i.cz/en/onas/tisk4.html
http://linuxtoday.com/news_story.php3?ltsn=2001-05-30-015-20-SC-PD
___________________________________________________________________________
Security holes have been discovered in the package gnupg, the GPG encryp-
tion program. Please update this package in your installation as soon as
possible.
___________________________________________________________________________
1. Problem Summary
a. Format String Vulnerability
An indirect invocation of the function vfprintf() does not pass
the argument "%s" as the first argument. This allows for a filename
to use format strings and may allow a user with malicious intent to
invoke shell commands with the current user's privileges.
b. Private Key Retrieval Vulnerability
It has been determined that there are insufficient measures taken in
protecting a user's secret key. If an attacker has write access to a
user's private key file, and is able to capture a message that is signed
with that private key, he will be able to decipher the user's private
key. Note that this is done even without knowledge of the user's se-
cret passphrase.
2. Solution
Update the package from our ftp server by running the following command:
rpm -Uvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/gnupg-1.0.6-1.i386.rpm
The source RPM can be downloaded here:
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/gnupg-1.0.6-1.src.rpm
**Note: You must rebuild and install the RPM if you choose to download
and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE
THE SECURITY HOLE.
Please verify the MD5 checksums of the updates before you install:
MD5 sum Package Name
___________________________________________________________________________
a336358f776e0dbbb9f495693386a193 gnupg-1.0.6-1.i386.rpm
bb873783b676249cbf22a09b5bc56f4d gnupg-1.0.6-1.src.rpm
___________________________________________________________________________
These packages are GPG signed by Turbolinux for security. Our key
is available here:
http://www.turbolinux.com/security/tlgpgkey.asc
To verify a package, use the following command:
rpm --checksig name_of_rpm
To examine only the md5sum, use the following command:
md5sum name_of_rpm
**Note: Checking GPG keys requires RPM 3.0 or higher.
___________________________________________________________________________
You can find more updates on our ftp server:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/
for TL6.x Workstation and Server security updates
Our webpage for security announcements:
http://www.turbolinux.com/security
If you want to report vulnerabilities, please contact:
securityat_private
___________________________________________________________________________
Subscribe to the Turbolinux Security Mailing lists:
TL-security - A moderated list for discussing security issues
Turbolinux products.
Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security
TL-security-announce - An announce-only mailing list for security
updates and alerts.
Subscribe at:
http://www.turbolinux.com/mailman/listinfo/tl-security-announce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: pgpenvelope 2.10.0 - http://pgpenvelope.sourceforge.net/
iD8DBQE7MkIqcpw52/ZatwoRAmnAAJ9Kn4rA+PucUZd012AnHbErNqElQQCeNop+
MbgPRyogF+2awz9Hb80B4Lo=
=P3t7
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 18:09:43 PDT