Family: Debian Local Security Checks --> Category: infos
[DSA061] DSA-061-1 gnupg Vulnerability Scan
Vulnerability Scan Summary
Detailed Explanation for this Vulnerability Test
The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation)
as distributed in Debian GNU/Linux 2.2 suffers from two problems:
fish stiqz reported on bugtraq that there was a printf format
problem in the do_get() function: it printed a prompt which included
the filename that was being decrypted without checking for
possible printf format attacks. This could be exploited by tricking
someone into decrypting a file with a specially crafted filename.
The second bug is related to importing secret keys: when gnupg
imported a secret key it would immediately make the associated
public key fully trusted which changes your web of trust without
asking for a confirmation. To fix this you now need a special
option to import a secret key.
Both problems have been fixed in version 1.0.6-0potato1.
Solution : http://www.debian.org/security/2001/dsa-061
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.