ID CVE-2006-6169
Summary Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt.
References
Vulnerable Configurations
  • cpe:2.3:a:gnupg:gnupg:1.4
    cpe:2.3:a:gnupg:gnupg:1.4
  • GnuPG (Privacy Guard) 2.0
    cpe:2.3:a:gnupg:gnupg:2.0
CVSS
Base: 6.8 (as of 29-11-2006 - 18:31)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-221.NASL
    description Buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages that cause the make_printable_string function to return a longer string than expected while constructing a prompt. Updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24605
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24605
    title Mandrake Linux Security Advisory : gnupg (MDKSA-2006:221)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-389-1.NASL
    description A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user's privileges. This vulnerability is not exposed when running gpg in batch mode. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 27972
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27972
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : gnupg vulnerability (USN-389-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200612-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-200612-03 (GnuPG: Multiple vulnerabilities) Hugh Warrington has reported a boundary error in GnuPG, in the 'ask_outfile_name()' function from openfile.c: the make_printable_string() function could return a string longer than expected. Additionally, Tavis Ormandy of the Gentoo Security Team reported a design error in which a function pointer can be incorrectly dereferenced. Impact : A remote attacker could entice a user to interactively use GnuPG on a crafted file and trigger the boundary error, which will result in a buffer overflow. They could also entice a user to process a signed or encrypted file with gpg or gpgv, possibly called through another application like a mail client, to trigger the dereference error. Both of these vulnerabilities would result in the execution of arbitrary code with the permissions of the user running GnuPG. gpg-agent, gpgsm and other tools are not affected. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 23855
    published 2006-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23855
    title GLSA-200612-03 : GnuPG: Multiple vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1231.NASL
    description Several remote vulnerabilities have been discovered in the GNU privacy guard, a free PGP replacement, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-6169 Werner Koch discovered that a buffer overflow in a sanitising function may lead to execution of arbitrary code when running gnupg interactively. - CVE-2006-6235 Tavis Ormandy discovered that parsing a carefully crafted OpenPGP packet may lead to the execution of arbitrary code, as a function pointer of an internal structure may be controlled through the decryption routines.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 23792
    published 2006-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23792
    title Debian DSA-1231-1 : gnupg - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0754.NASL
    description Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 23798
    published 2006-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23798
    title RHEL 2.1 / 3 / 4 : gnupg (RHSA-2006:0754)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG-2355.NASL
    description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode. (CVE-2006-6169) - Specially crafted files could modify a function pointer and execute code this way. (CVE-2006-6235)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29449
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29449
    title SuSE 10 Security Update : gpg (ZYPP Patch Number 2355)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG-2353.NASL
    description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27246
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27246
    title openSUSE 10 Security Update : gpg (gpg-2353)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0754.NASL
    description From Red Hat Security Advisory 2006:0754 : Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67429
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67429
    title Oracle Linux 4 : gnupg (ELSA-2006-0754)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG-2388.NASL
    description - Specially crafted files could overflow a buffer when gpg was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27247
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27247
    title openSUSE 10 Security Update : gpg (gpg-2388)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-340-01.NASL
    description New gnupg packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 24662
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24662
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 9.0 / 9.1 : gnupg (SSA:2006-340-01)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-393-2.NASL
    description USN-389-1 and USN-393-1 fixed vulnerabilities in gnupg. This update provides the corresponding updates for gnupg2. A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user's privileges. This vulnerability is not exposed when running gpg in batch mode. (CVE-2006-6169) Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user's privileges. (CVE-2006-6235). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 27979
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27979
    title Ubuntu 6.10 : gnupg2 vulnerabilities (USN-393-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG2-2352.NASL
    description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27251
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27251
    title openSUSE 10 Security Update : gpg2 (gpg2-2352)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG2-2354.NASL
    description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode. (CVE-2006-6169) - Specially crafted files could modify a function pointer and execute code this way. (CVE-2006-6235)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29452
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29452
    title SuSE 10 Security Update : gpg2 (ZYPP Patch Number 2354)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0754.NASL
    description Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 23789
    published 2006-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23789
    title CentOS 3 / 4 : gnupg (CESA-2006:0754)
oval via4
accepted 2013-04-29T04:12:31.217-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt.
family unix
id oval:org.mitre.oval:def:11228
status accepted
submitted 2010-07-09T03:56:16-04:00
title Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt.
version 23
redhat via4
advisories
rhsa
id RHSA-2006:0754
rpms
  • gnupg-0:1.2.1-19
  • gnupg-0:1.2.6-8
refmap via4
bid 21306
bugtraq
  • 20061127 GnuPG 1.4 and 2.0 buffer overflow
  • 20061201 rPSA-2006-0224-1 gnupg
confirm
debian DSA-1231
gentoo GLSA-200612-03
mandriva MDKSA-2006:221
misc https://bugs.g10code.com/gnupg/issue728
mlist [gnupg-announce] 20061127 GnuPG 1.4 and 2.0 buffer overflow
openpkg OpenPKG-SA-2006.037
sectrack 1017291
secunia
  • 23094
  • 23110
  • 23146
  • 23161
  • 23171
  • 23250
  • 23269
  • 23284
  • 23299
  • 23303
  • 23513
  • 24047
sgi 20061201-01-P
sreason 1927
suse SUSE-SA:2006:075
trustix 2006-0068
ubuntu
  • USN-389-1
  • USN-393-2
vupen ADV-2006-4736
xf gnupg-openfile-bo(30550)
statements via4
contributor Joshua Bressers
lastmodified 2007-03-14
organization Red Hat
statement Red Hat does not consider this bug to be a security flaw. In order for this flaw to be exploited, a user would be required to enter shellcode into an interactive GnuPG session. Red Hat considers this to be an unlikely scenario. Red Hat Enterprise Linux 5 contains a backported patch to address this issue.
Last major update 07-03-2011 - 21:45
Published 29-11-2006 - 13:28
Last modified 17-10-2018 - 17:47
Back to Top