gnupg vulnerability

2006.02.17
Credit: Martin Pitt
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

=========================================================== Ubuntu Security Notice USN-252-1 February 17, 2006 gnupg vulnerability CVE-2006-0455 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: gnupg The problem can be corrected by upgrading the affected package to version 1.2.4-4ubuntu2.2 (for ubuntu 4.10), 1.2.5-3ubuntu5.2 (for Ubuntu 5.04), or 1.4.1-1ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a potential weakness in the signature verification of gnupg. gpgv and gpg --verify returned a successful exit code even if the checked file did not have any signature at all. The recommended way of checking the result is to evaluate the status messages, but some third party applications might just check the exit code for determining whether or not a signature is valid. These applications could be tricked into erroneously reporting a valid signature. Please note that this does not affect the Ubuntu package signature checks. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2 .2.diff.gz Size/MD5: 57697 7859d87efb668c1ffb53859c17e7200a http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2 .2.dsc Size/MD5: 621 a601569ac7c80138bc56e9f9eb4fbecb http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4.orig.tar .gz Size/MD5: 3451202 adfab529010ba55533c8e538c0b042a2 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2 .2_amd64.deb Size/MD5: 1722418 530e590811bd954b24ff06ca0a690050 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2 .2_i386.deb Size/MD5: 1667378 9456a90509b1c80c1723abd2bf2b9d07 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2 .2_powerpc.deb Size/MD5: 1721708 f8bc943af454d4bcc6566340c6ef1a41 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5 .2.diff.gz Size/MD5: 63903 154d68158685ee570446e0ea5bde2fd4 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5 .2.dsc Size/MD5: 654 3101b98dfda3da22b8c013ff557fd95a http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5.orig.tar .gz Size/MD5: 3645308 9109ff94f7a502acd915a6e61d28d98a amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5 .2_amd64.deb Size/MD5: 805508 d370724a74d179da246fa48240f2907e http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubu ntu5.2_amd64.udeb Size/MD5: 146278 5f2a57a83c42c4053c974a5c8dbfbd8f i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5 .2_i386.deb Size/MD5: 750320 da0f3f94a0f084a32be0bf1f17473a59 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubu ntu5.2_i386.udeb Size/MD5: 121234 210e76177b3737275909d31d6eeb0cc5 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5 .2_powerpc.deb Size/MD5: 806078 1d625d6235b1659f86acae0d8efbd3c4 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubu ntu5.2_powerpc.udeb Size/MD5: 135284 7d46859278245aa9784d020d23ac1440 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1 .1.diff.gz Size/MD5: 18014 e0c82f178dd412ea54607ca9cd03624b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1 .1.dsc Size/MD5: 684 c25b2397ca0e6af1201f840ba8e7e89b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar .gz Size/MD5: 4059170 1cc77c6943baaa711222e954bbd785e5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1 .1_amd64.deb Size/MD5: 1135890 fc1cab421bd3defb1587d8d49741cc61 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubu ntu1.1_amd64.udeb Size/MD5: 152140 45911ed13c75e1320633487e001a2d57 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1 .1_i386.deb Size/MD5: 1043962 91336db0bac738815ac0d4de7094fdb0 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubu ntu1.1_i386.udeb Size/MD5: 130578 49c6cbdf3aed81683a346d0eee7f457b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1 .1_powerpc.deb Size/MD5: 1119074 deea65c63af7e01c9675a2ff597ff3ba http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubu ntu1.1_powerpc.udeb Size/MD5: 140072 f147e53fb3beb6a19f362271d08d31e0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFD9eeeDecnbV4Fd/IRAojpAJ9V6srb0trpFMzdX52ZxirO/nZ22wCghe4v A/WCefpUc4WZyJCYVxgNT8o= =NEeZ -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top