USN-332-1: gnupg vulnerability
Posted on: 08/03/2006 01:12 PM

A new gnupg vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-332-1 August 03, 2006
gnupg vulnerability
CVE-2006-3746
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
gnupg 1.2.5-3ubuntu5.5

Ubuntu 5.10:
gnupg 1.4.1-1ubuntu1.4

Ubuntu 6.06 LTS:
gnupg 1.4.2.2-1ubuntu2.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Evgeny Legerov discovered that gnupg did not sufficiently check the
validity of the comment and a control field. Specially crafted GPG
data could cause a buffer overflow. This could be exploited to execute
arbitrary code with the user's privileges if an attacker can trick an
user into processing a malicious encrypted/signed document with gnupg.


Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu=
5.5.diff.gz
Size/MD5: 67172 29ae368ce975c0ba45f5f8faab3544eb
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu=
5.5.dsc
Size/MD5: 654 b77427b0e347fd51822fbded59629c39
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5.orig.ta=
r.gz
Size/MD5: 3645308 9109ff94f7a502acd915a6e61d28d98a

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu=
5.5_amd64.deb
Size/MD5: 806304 ed9984ee4c43817ad4bfaac0318dacd2
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ub=
untu5.5_amd64.udeb
Size/MD5: 146492 1761ff0057e8c5fc1290bb6fea061fff

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu=
5.5_i386.deb
Size/MD5: 750870 327780d0bc5b4492cfb2d91d81ce1e4d
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ub=
untu5.5_i386.udeb
Size/MD5: 121414 755b78879ae2ff649831bc4258ec9cd0

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu=
5.5_powerpc.deb
Size/MD5: 806802 659c72a26c312d0a21dfca0ef8168dc1
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ub=
untu5.5_powerpc.udeb
Size/MD5: 135552 738c35bc6fce9b6c23a85bcd8e805d31

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu=
1.4.diff.gz
Size/MD5: 21517 ce1cea807240a851dc29c0ad1c8e3824
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu=
1.4.dsc
Size/MD5: 684 75bea35501b917876414e63811e4724f
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.ta=
r.gz
Size/MD5: 4059170 1cc77c6943baaa711222e954bbd785e5

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu=
1.4_amd64.deb
Size/MD5: 1136488 845e1771e0f8437a7d77b8ffcdc13b5a
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ub=
untu1.4_amd64.udeb
Size/MD5: 152266 3a4de994f65e12058b69eeb3940d8c9f

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu=
1.4_i386.deb
Size/MD5: 1044632 f8da3941df01cced12e35fb0c4bf3e53
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ub=
untu1.4_i386.udeb
Size/MD5: 130694 3af2232b978645923226a0cb6714475d

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu=
1.4_powerpc.deb
Size/MD5: 1119760 3a01f0ee2ba319d6d884b84f82b25f2d
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ub=
untu1.4_powerpc.udeb
Size/MD5: 140248 a61c84caeecffb3b3c3207b28a84e8ab

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu=
1.4_sparc.deb
Size/MD5: 1064344 258595b36dd297f5100cc82f59717e54
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ub=
untu1.4_sparc.udeb
Size/MD5: 139584 58cc4a91254ea52878b4df2873ad22c2

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubun=
tu2.2.diff.gz
Size/MD5: 20451 b0c637087a904197f957c32b6364417d
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubun=
tu2.2.dsc
Size/MD5: 692 84098e8a7001961c8141eb8ea4f3dcde
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2.orig.=
tar.gz
Size/MD5: 4222685 50d8fd9c5715ff78b7db0e5f20d08550

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubun=
tu2.2_amd64.deb
Size/MD5: 1066284 23f4741e2da976dd050d38c5da08e9f8
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1=
ubuntu2.2_amd64.udeb
Size/MD5: 140296 c53b5fbc2cc73451b72875907cc417c1

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubun=
tu2.2_i386.deb
Size/MD5: 981204 ed7bcc9d4a3442efbcac2f4b99a2b57d
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1=
ubuntu2.2_i386.udeb
Size/MD5: 120282 031ef43bea646c9687a8e9d1929ad988

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubun=
tu2.2_powerpc.deb
Size/MD5: 1053660 7ee4f7add0d48f056fb0fc964b85b032
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1=
ubuntu2.2_powerpc.udeb
Size/MD5: 130170 fe7a1606cc65d71fce2b7e7f3fab88dc

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.2.2-1ubun=
tu2.2_sparc.deb
Size/MD5: 993782 025a2fbe8c4a466b37b2a455226f3876
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.2.2-1=
ubuntu2.2_sparc.udeb
Size/MD5: 127434 2d5a6522372b8c645a2fb5b37bb1e846


--fmvA4kSBHQVZhkR6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFE0cgFDecnbV4Fd/IRAj9EAJ9swTC6kXC5v01uhoKwhvL1QYPdigCcD1uN
UGFyoz/Z+SUFSFqZT20c/0w=
=dhN+
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_332_1_gnupg_vulnerability.html)