Previous articleBack to news listNext article
|
Sponsored links |
Want to become one of our authors and see your work published on ALLSeek.iNFO ?
|
| GnuPG 'gpgkeys_hkp' Format String Flaw Lets Remote Keyservers Execute Arbitrary Code |
|---|
Categorie: Vulnerability
Posted: 2003-12-05 by ReCall
Views: 458
Source: Click here
| Current Rating: Not rated
|
|
| Details |
|---|
Description: A format string vulnerability was reported in GnuPG in the experimental 'gpgkeys_hkp' utility. A malicious keyserver can execute arbitrary code on the target user's system.
S-Quadra reported that when the external HKP interface is enabled, the get_key() function in 'keyserver/ gpgkeys_hkp.c' makes a fprintf() call based on user-supplied input without providing a format specifier or validating the user-supplied input. A malicious keyserver can return specially crafted information to potentially execute arbitrary code.
The report indicates that this HKP interface is not enabled by default in the 1.2 stable branch, but is enabled by default on the 1.3 development branch.
The vendor was reportedly notified on 27 November 2003.
Impact: A remote keyserver can execute arbitrary code on a target user's system.
Solution: The vendor has released a fixed development version (1.3.4) and has issued a fix for the 1.2 branch, available via CVS.
|
| Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=586
|
| User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
|
Previous articleBack to news listNext article
|
