发布时间 :2004-01-05 00:00:00
修订时间 :2016-10-17 22:38:43

[原文]Format string vulnerability in gpgkeys_hkp (experimental HKP interface) for the GnuPG (gpg) client 1.2.3 and earlier, and 1.3.3 and earlier, allows remote attackers or a malicious keyserver to cause a denial of service (crash) and possibly execute arbitrary code during key retrieval.


        GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
        GnuPG包含外部HKP接口,默认在1.2 stable版本中不启用,不过可以通过使用'--enable-external-hkp'配置选项激活,不过在1.3的版本中,外部HKP接口是默认开启。当外部HKP接口使用时,GnuPG会使用'gpgkeys_hkp'工具对密钥服务器进行访问。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gnu:privacy_guard:1.2.2GNU GNU Privacy Guard 1.2.2
cpe:/a:gnu:privacy_guard:1.2.1GNU GNU Privacy Guard 1.2.1
cpe:/a:gnu:privacy_guard:1.3.3GNU GNU Privacy Guard 1.3.3
cpe:/a:gnu:privacy_guard:1.2GNU GNU Privacy Guard 1.2
cpe:/a:gnu:privacy_guard:1.2.3GNU GNU Privacy Guard 1.2.3

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20031203 GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
(UNKNOWN)  SUSE  SuSE-SA:2003:048
(VENDOR_ADVISORY)  XF  gnupg-gpgkeyshkp-format-string(13892)

- 漏洞信息

高危 输入验证
2004-01-05 00:00:00 2005-10-20 00:00:00
        GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
        GnuPG包含外部HKP接口,默认在1.2 stable版本中不启用,不过可以通过使用'--enable-external-hkp'配置选项激活,不过在1.3的版本中,外部HKP接口是默认开启。当外部HKP接口使用时,GnuPG会使用'gpgkeys_hkp'工具对密钥服务器进行访问。

- 公告与补丁


- 漏洞信息

GnuPG HTTP Keyserver Protocol Interface Format String
Local Access Required, Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

GnuPG contains a flaw that may allow a malicious user to cause a denial of service or execute arbitrary code. The issue is triggered when the external HKP interface is enabled and crafted data is sent. GnuPG's external HTTP Keyserver Protocol (HKP) interface contains a format string flaw in keyserver/gpgkeys_hkp.c that could allow a compromised key server to execute remote commands on a client machine requesting information. The external HKP interface is not enabled by default in 1.2 stable branch, but is enabled by default on the 1.3 devel branch. It is possible that the flaw may allow this execution of remote code, resulting in a loss of integrity.

- 时间线

2003-12-03 2003-11-27
Unknow Unknow

- 解决方案

Upgrade GnuPG to 1.2.3 Stable (with patches) or 1.3.4 Development as patches have been included to mitigate this flaw. Disabling support for HKP in the GnuPG software is a temporary workaround.

- 相关参考

- 漏洞作者

- 漏洞信息

GnuPG External HKP Format String Vulnerability
Input Validation Error 9144
Yes No
2003-12-03 12:00:00 2009-07-12 12:56:00
Discovery of this issue is credited to Evgeny Legerov.

- 受影响的程序版本

Sun Cobalt RaQ XTR
Sun Cobalt Qube 3
GNU GNU Privacy Guard 1.3.3
GNU GNU Privacy Guard 1.2.3
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.2
+ Turbolinux Turbolinux Desktop 10.0
GNU GNU Privacy Guard 1.2.2 -rc1
+ S.u.S.E. Linux Personal 8.2
GNU GNU Privacy Guard 1.2.2 -r1
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
GNU GNU Privacy Guard 1.2.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
GNU GNU Privacy Guard 1.2.1
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG 1.2
+ RedHat Linux 9.0 i386
+ Terra Soft Solutions Yellow Dog Linux 3.0
GNU GNU Privacy Guard 1.2
GNU GNU Privacy Guard 1.3.4

- 不受影响的程序版本

GNU GNU Privacy Guard 1.3.4

- 漏洞讨论

GnuPG is prone to a remotely exploitable format string vulnerability in the external HKP interface (which is not typically enabled by default in stable versions). This is due to incorrect usage of fprintf(), potentially allowing a malicious HKP keyserver to execute arbitrary code on a system running the vulnerable software.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

Sun have released fixes to address this issue in Sun Cobalt RaQ XTR and Qube 3 products. Fixes are linked below.

SuSE has released an advisory (SuSE-SA:2003:048) that includes fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

The vendor has addressed this issue in CVS for the 1.2 stable branch. Version 1.3.4 was also released to address this issue in the 1.3 development branch.

Gentoo has released an advisory (200312-05) to address this issue. All Gentoo Linux systems should be updated to use gnupg-1.2.3-r5 or higher as follows:

emerge sync
emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
emerge '>=app-crypt/gnupg-1.2.3-r5'
emerge clean

Sun Cobalt Qube 3

Sun Cobalt RaQ XTR

GNU GNU Privacy Guard 1.2.2

GNU GNU Privacy Guard 1.2.2 -rc1

- 相关参考