推荐论坛

最新更新

专家提醒Office办公软件中存高危安全漏洞
证实IE存在高危漏洞计划提前发布补丁
RealPlayer发现四个安全漏洞 可控制用户PC
安全专家称Sendmail软件中存在严重级漏洞
Indexu远程文件包含漏洞
IE最新高危漏洞非官方补丁
GnuPG内置签名验证漏洞
微软Windows Help图象溢出漏洞
qliteNews存在多个SQL注入漏洞
RedCMS内容管理程序存在输入验证漏洞

GnuPG内置签名验证漏洞

发布时间: 2007-3-17 23:37    作者: admin    来源:

字体:        | 上一篇 下一篇 | 打印

受影响系统:
GNU Privacy Guard < 1.4.2.2
不受影响系统:
GNU Privacy Guard 1.4.2.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 17058
CVE(CAN) ID: CVE-2006-0049

GnuPG是基于OpenPGP标准的PGP加密、解密、签名工具。

GnuPG在处理邮件内置的签名时存在验证漏洞,攻击者可能利用此漏洞在邮件中插入额外的数据。

GnuPG在提取已签名的数据时,数据可能前置或后缀了签名没有没有覆盖到的额外数据,这样攻击者就可以利用签名消息注入额外的任意数据。

<*来源:Werner Koch (wk@gnupg.org)
Tavis Ormandy (taviso@gentoo.org)

链接:http://marc.theaimsgroup.com/?l=bugtraq&m=114201635307680&w=2
http://www.debian.org/security/2005/dsa-993
http://security.gentoo.org/glsa/glsa-200603-08.xml
*>

建议:
--------------------------------------------------------------------------------
厂商补丁:

Debian
------
Debian已经为此发布了一个安全公告(DSA-993-2)以及相应补丁:
DSA-993-2:New GnuPG packages fix broken signature check
链接:http://www.debian.org/security/2005/dsa-993

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5.dsc
Size/MD5 checksum: 579 b34d5a5996b358e713e2e8bb71dc6404
http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5.diff.gz
Size/MD5 checksum: 7866 5e36a3c06fae2b3d96a9db65988fffbd
http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6.orig.tar.gz
Size/MD5 checksum: 1941676 7c319a9e5e70ad9bc3bf0d7b5008a508

Alpha architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_alpha.deb
Size/MD5 checksum: 1150716 ff72280db81dbc60041cd91a0d307ee6

ARM architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_arm.deb
Size/MD5 checksum: 987194 1ca0bbdaaec049b128996cdd9f776834

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_i386.deb
Size/MD5 checksum: 966800 52e985fbb5e9bcd7baa320c549b7b70c

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_ia64.deb
Size/MD5 checksum: 1271958 27317f852e24ce3784ec62aec0860c6a

HP Precision architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_hppa.deb
Size/MD5 checksum: 1059666 5b73bdfab02c7c8184b58db2c3e0b240

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_m68k.deb
Size/MD5 checksum: 942614 c15e8b65687c52530e48665669dde8c3

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_mips.deb
Size/MD5 checksum: 1035974 ce95aa0adb6060fc68119c4df3492293

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_mipsel.deb
Size/MD5 checksum: 1036400 f40b42f381d7f04004f219c16de542fc

PowerPC architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_powerpc.deb
Size/MD5 checksum: 1009720 8b0372d551b48829ce6be7d0f69f6559

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_s390.deb
Size/MD5 checksum: 1002210 deef79ef16b8f5bac2b32f912caac46c

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_sparc.deb
Size/MD5 checksum: 1003974 2bf876aa4b6a50cb3aadb7ef2e233f69


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3.dsc
Size/MD5 checksum: 680 8f2f1848dcdfe9d143d8e9352ef918ca
http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3.diff.gz
Size/MD5 checksum: 19639 9ffb89fa0a770568ddd80a11e3eada78
http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1.orig.tar.gz
Size/MD5 checksum: 4059170 1cc77c6943baaa711222e954bbd785e5

Alpha architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_alpha.deb
Size/MD5 checksum: 2155538 07b4643bf4cd05639a261fa0b3fa6a89

AMD64 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_amd64.deb
Size/MD5 checksum: 1963222 52cdf1bb1a228427abd31abff411a946

ARM architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_arm.deb
Size/MD5 checksum: 1899232 c52b0d652506e2384340d67f8126a1b2

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_i386.deb
Size/MD5 checksum: 1908754 cd9c2257b8c7149a92131abbdaef498c

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_ia64.deb
Size/MD5 checksum: 2324736 3553c75fac7cdc0a7d157c20aad4525c

HP Precision architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_hppa.deb
Size/MD5 checksum: 2004042 2bb61f214979d403de8e3eab35c4ef00

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_m68k.deb
Size/MD5 checksum: 1810978 8da1cbf5b8291ff54194010881832bf1

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_mips.deb
Size/MD5 checksum: 2000618 dfcf0ab7c9f5b3aada55bc27c1f1119d

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_mipsel.deb
Size/MD5 checksum: 2007396 6d99bcd4559ef9a73d43cedd8b8d1680

PowerPC architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_powerpc.deb
Size/MD5 checksum: 1957560 570ae516c68d6803aeafce048e0f978c

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_s390.deb
Size/MD5 checksum: 1966774 2f4a27beba4ff1fc96ef11d9e77b7ec1

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_sparc.deb
Size/MD5 checksum: 1897162 8520ccf5a05546d18a641a480b5926ac

补丁安装方法:

1. 手工安装补丁包:

首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)

然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

首先,使用下面的命令更新内部数据库:
# apt-get update

然后,使用下面的命令安装更新软件包:
# apt-get upgrade

GNU
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

ftp://ftp.gnupg.org/gcrypt/

Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200603-08)以及相应补丁:
GLSA-200603-08:GnuPG: Incorrect signature verification
链接:http://security.gentoo.org/glsa/glsa-200603-08.xml

所有GnuPG用户都应升级到最新版本:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.2.2"


查看全部评论(0)我来说两句

-5 -3 -1 - +1 +3 +5