CVE-2003-0978
CVSS7.5
发布时间 :2004-01-05 00:00:00
修订时间 :2016-10-17 22:38:43
NMCOS    

[原文]Format string vulnerability in gpgkeys_hkp (experimental HKP interface) for the GnuPG (gpg) client 1.2.3 and earlier, and 1.3.3 and earlier, allows remote attackers or a malicious keyserver to cause a denial of service (crash) and possibly execute arbitrary code during key retrieval.


[CNNVD]GnuPG外部HKP格式串处理漏洞(CNNVD-200401-015)

        
        GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
        GnuPG在使用外部HKP工具时对参数输入缺少充分过滤,远程攻击者可以利用这个漏洞进行格式串攻击,可能破坏内存信息,以GnuPG进程权限在系统上执行任意指令。
        GnuPG包含外部HKP接口,默认在1.2 stable版本中不启用,不过可以通过使用'--enable-external-hkp'配置选项激活,不过在1.3的版本中,外部HKP接口是默认开启。当外部HKP接口使用时,GnuPG会使用'gpgkeys_hkp'工具对密钥服务器进行访问。
        由于不正确使用fprintf()函数,恶意HKP密钥服务器可以应答包含格式字符串的参数对GnuPG进行攻击,可破坏GnuPG进程中的内存信息,精心构建应答数据可能以GnuPG进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gnu:privacy_guard:1.2GNU GNU Privacy Guard 1.2
cpe:/a:gnu:privacy_guard:1.3.3GNU GNU Privacy Guard 1.3.3
cpe:/a:gnu:privacy_guard:1.2.3GNU GNU Privacy Guard 1.2.3
cpe:/a:gnu:privacy_guard:1.2.2GNU GNU Privacy Guard 1.2.2
cpe:/a:gnu:privacy_guard:1.2.1GNU GNU Privacy Guard 1.2.1
cpe:/a:gnu:privacy_guard:1.2.2:rc1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0978
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0978
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200401-015
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107047470625214&w=2
(UNKNOWN)  BUGTRAQ  20031203 GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
http://www.novell.com/linux/security/advisories/2003_048_gpg.html
(UNKNOWN)  SUSE  SuSE-SA:2003:048
http://www.s-quadra.com/advisories/Adv-20031203.txt
(UNKNOWN)  MISC  http://www.s-quadra.com/advisories/Adv-20031203.txt
http://xforce.iss.net/xforce/xfdb/13892
(VENDOR_ADVISORY)  XF  gnupg-gpgkeyshkp-format-string(13892)

- 漏洞信息

GnuPG外部HKP格式串处理漏洞
高危 输入验证
2004-01-05 00:00:00 2005-10-20 00:00:00
远程  
        
        GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
        GnuPG在使用外部HKP工具时对参数输入缺少充分过滤,远程攻击者可以利用这个漏洞进行格式串攻击,可能破坏内存信息,以GnuPG进程权限在系统上执行任意指令。
        GnuPG包含外部HKP接口,默认在1.2 stable版本中不启用,不过可以通过使用'--enable-external-hkp'配置选项激活,不过在1.3的版本中,外部HKP接口是默认开启。当外部HKP接口使用时,GnuPG会使用'gpgkeys_hkp'工具对密钥服务器进行访问。
        由于不正确使用fprintf()函数,恶意HKP密钥服务器可以应答包含格式字符串的参数对GnuPG进行攻击,可破坏GnuPG进程中的内存信息,精心构建应答数据可能以GnuPG进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        GNU
        ---
        目前厂商已经在最新版本的软件中修复了这个安全问题,请到厂商的主页下载:
        
        http://www.gnu.org

- 漏洞信息

2899
GnuPG HTTP Keyserver Protocol Interface Format String
Local Access Required, Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

GnuPG contains a flaw that may allow a malicious user to cause a denial of service or execute arbitrary code. The issue is triggered when the external HKP interface is enabled and crafted data is sent. GnuPG's external HTTP Keyserver Protocol (HKP) interface contains a format string flaw in keyserver/gpgkeys_hkp.c that could allow a compromised key server to execute remote commands on a client machine requesting information. The external HKP interface is not enabled by default in 1.2 stable branch, but is enabled by default on the 1.3 devel branch. It is possible that the flaw may allow this execution of remote code, resulting in a loss of integrity.

- 时间线

2003-12-03 2003-11-27
Unknow Unknow

- 解决方案

Upgrade GnuPG to 1.2.3 Stable (with patches) or 1.3.4 Development as patches have been included to mitigate this flaw. Disabling support for HKP in the GnuPG software is a temporary workaround.

- 相关参考

- 漏洞作者

- 漏洞信息

GnuPG External HKP Format String Vulnerability
Input Validation Error 9144
Yes No
2003-12-03 12:00:00 2009-07-12 12:56:00
Discovery of this issue is credited to Evgeny Legerov.

- 受影响的程序版本

Sun Cobalt RaQ XTR
Sun Cobalt Qube 3
GNU GNU Privacy Guard 1.3.3
GNU GNU Privacy Guard 1.2.3
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.2
+ Turbolinux Turbolinux Desktop 10.0
GNU GNU Privacy Guard 1.2.2 -rc1
+ S.u.S.E. Linux Personal 8.2
GNU GNU Privacy Guard 1.2.2 -r1
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
GNU GNU Privacy Guard 1.2.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
GNU GNU Privacy Guard 1.2.1
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG 1.2
+ RedHat Linux 9.0 i386
+ Terra Soft Solutions Yellow Dog Linux 3.0
GNU GNU Privacy Guard 1.2
GNU GNU Privacy Guard 1.3.4

- 不受影响的程序版本

GNU GNU Privacy Guard 1.3.4

- 漏洞讨论

GnuPG is prone to a remotely exploitable format string vulnerability in the external HKP interface (which is not typically enabled by default in stable versions). This is due to incorrect usage of fprintf(), potentially allowing a malicious HKP keyserver to execute arbitrary code on a system running the vulnerable software.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Sun have released fixes to address this issue in Sun Cobalt RaQ XTR and Qube 3 products. Fixes are linked below.

SuSE has released an advisory (SuSE-SA:2003:048) that includes fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

The vendor has addressed this issue in CVS for the 1.2 stable branch. Version 1.3.4 was also released to address this issue in the 1.3 development branch.

Gentoo has released an advisory (200312-05) to address this issue. All Gentoo Linux systems should be updated to use gnupg-1.2.3-r5 or higher as follows:

emerge sync
emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
emerge '>=app-crypt/gnupg-1.2.3-r5'
emerge clean


Sun Cobalt Qube 3

Sun Cobalt RaQ XTR

GNU GNU Privacy Guard 1.2.2

GNU GNU Privacy Guard 1.2.2 -rc1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站