GnuPG parse_comment() integer overflow

gnupg-parsecomment-overflow (28220)

High Risk

Description:

GNU Privacy Guard (GnuPG or GPG) is vulnerable to an integer overflow in the parse_comment() function. A remote attacker could exploit this vulnerability by sending an overly long message packet to execute arbitrary code on the system or cause the application to crash.

Platforms Affected:

• Canonical, Ubuntu 4.10
• Canonical, Ubuntu 5.04
• Canonical, Ubuntu 5.10
• Canonical, Ubuntu 6.06 LTS
• Debian, Debian Linux 3.1
• Gentoo, Linux
• GNU, Privacy Guard 1.0
• GNU, Privacy Guard 1.0.1
• GNU, Privacy Guard 1.0.2
• GNU, Privacy Guard 1.0.3
• GNU, Privacy Guard 1.0.4
• GNU, Privacy Guard 1.0.5
• GNU, Privacy Guard 1.0.6
• GNU, Privacy Guard 1.0.7
• GNU, Privacy Guard 1.2
• GNU, Privacy Guard 1.2.1
• GNU, Privacy Guard 1.2.2
• GNU, Privacy Guard 1.2.3
• GNU, Privacy Guard 1.2.4
• GNU, Privacy Guard 1.2.5
• GNU, Privacy Guard 1.2.6
• GNU, Privacy Guard 1.2.7
• GNU, Privacy Guard 1.3.3
• GNU, Privacy Guard 1.3.4
• GNU, Privacy Guard 1.4
• GNU, Privacy Guard 1.4.1
• GNU, Privacy Guard 1.4.2
• GNU, Privacy Guard 1.4.2.1
• GNU, Privacy Guard 1.4.2.2
• GNU, Privacy Guard 1.4.3
• GNU, Privacy Guard 1.4.4
• MandrakeSoft, Mandrake Linux 2006 X86_64
• MandrakeSoft, Mandrake Linux 2006
• MandrakeSoft, Mandrake Linux Corporate Server 3.0
• MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft, Mandrake Multi Network Firewall 2.0
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Enterprise Linux 4 WS
• RedHat, Enterprise Linux 4 AS
• RedHat, Linux Advanced Workstation 2.1 Itanium

Remedy:

Upgrade to the latest version of GnuPG (1.4.5 or later), available from the GnuPG Web site. See References.

For Red Hat Linux:
Refer to RHSA-2006:0615-4 for patch, upgrade, or suggested workaround information. See References.

For Debian GNU/Linux:
Refer to DSA-1140-1 or DSA-1141-1 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-332-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200608-08 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Wed Aug 02 2006 - 14:09:06 CDT, rPSA-2006-0143-1 gnupg at http://archives.neohapsis.com/archives/bugtraq/2006-08/0040.html.
• Dailydave Mailing List, Fri Jul 21 17:55:58 EST 2006, GnuPG 1.4.4 fun at http://lists.immunitysec.com/pipermail/dailydave/2006-July/003354.html.
• DSA 1140-1, New GnuPG packages fix denial of service at http://www.debian.org/security/2006/dsa-1140.
• GnuPG-Announce Mailing List, Tue Aug 1 17:37:08 CEST 2006, [Announce] GnuPG 1.4.5 released (another security fix) at http://lists.gnupg.org/pipermail/gnupg-announce/2006q3/000229.html.
• GnuPG.org, Download at http://www.gnupg.org/download/.
• Red Hat Bugzilla Bug 200502, CVE-2006-3746 GnuPG Parse_Comment Remote Buffer Overflow at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200502.
• ASA-2006-164: gnupg security update (RHSA-2006-0615)
• BID-19110: GnuPG Parse_Comment Remote Buffer Overflow Vulnerability
• CVE-2006-3746: Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message.
• DSA-1140: gnupg -- integer overflow
• DSA-1141: gnupg2 -- integer overflow
• FrSIRT/ADV-2006-3123: GnuPG parse_comment() Message Packet Length Handling Integer Overflow Vulnerability
• GLSA-200608-08: GnuPG: Integer overflow vulnerability
• MDKSA-2006:141: Updated gnupg packages fix vulnerability
• RHSA-2006-0615: gnupg security update
• SA21297: GnuPG "parse_comment" Denial of Service Vulnerability
• SA21522: Avaya Products Integer Overflow and Denial of Service
• SECTRACK ID: 1016622: GnuPG Integer Overflow Lets Local Users Deny Service
• SUSE-SR:2006:020: SUSE Security Summary Report
• USN-332-1: gnupg vulnerability

Reported:

Aug 01, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page