GnuPG installed setgid could allow attacker to overwrite files
| gnupg-setgid-overwrite-files (12699) |  Medium Risk |
Description:
GNU Privacy Guard (GnuPG or GPG) could allow a local attacker to overwrite files. GnuPG is installed setgid root, which could allow a local attacker to overwrite files that have group root writable permissions.
Platforms Affected:
- Gentoo, Linux
- GNU, Privacy Guard 1.2.2 r1
Remedy:
According to Gentoo Linux Security Announcement 200307-06, the vulnerability is fixed in the latest gnupg package (1.2.2-r1), however, the advisory also lists this as a vulnerable version. See References.
Consequences:
File Manipulation
References:
- Gentoo Linux Security Announcement 200307-06, gnupg - gpg setgid at http://www.linuxsecurity.com/content/view/105213/104/. (From LinuxSecurity archive)
- BID-8228: GnuPG Group Root File Corruption Vulnerability
Reported:
Jul 19, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net