GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sat Oct 22, 2011 5:26 am Post subject: [ GLSA 201110-15 ] GnuPG: User-assisted execution of arbitra |
 |
|
Gentoo Linux Security Advisory
Title: GnuPG: User-assisted execution of arbitrary code (GLSA 201110-15)
Severity: normal
Exploitable: remote
Date: October 22, 2011
Bug(s): #329583
ID: 201110-15
Synopsis
The GPGSM utility included in GnuPG contains a use-after-free
vulnerability that may allow an unauthenticated remote attacker to execute
arbitrary code.
Background
The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of
cryptographic software. The GPGSM utility in GnuPG is responsible for
processing X.509 certificates, signatures and encryption as well as
S/MIME messages.
Affected Packages
Package: app-crypt/gnupg
Vulnerable: < 2.0.16-r1
Unaffected: >= 2.0.16-r1
Unaffected: < 2.0
Architectures: All supported architectures
Description
The GPGSM utility in GnuPG contains a use-after-free vulnerability that
may be exploited when importing a crafted X.509 certificate explicitly or
during the signature verification process.
Impact
An unauthenticated remote attacker may execute arbitrary code with the
privileges of the user running GnuPG by enticing them to import a crafted
certificate.
Workaround
There is no known workaround at this time.
Resolution
All GnuPG 2.x users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.16-r1"
|
References
CVE-2010-2547
Last edited by GLSA on Fri Jan 23, 2015 4:29 am; edited 2 times in total |
|
News & Announcements
