ID CVE-2006-6235
Summary A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
References
Vulnerable Configurations
  • GNU GNU Privacy Guard 1.2.4
    cpe:2.3:a:gnu:privacy_guard:1.2.4
  • GNU GNU Privacy Guard 1.2.5
    cpe:2.3:a:gnu:privacy_guard:1.2.5
  • GNU GNU Privacy Guard 1.2.6
    cpe:2.3:a:gnu:privacy_guard:1.2.6
  • GNU GNU Privacy Guard 1.2.7
    cpe:2.3:a:gnu:privacy_guard:1.2.7
  • GNU GNU Privacy Guard 1.3.3
    cpe:2.3:a:gnu:privacy_guard:1.3.3
  • GNU GNU Privacy Guard 1.3.4
    cpe:2.3:a:gnu:privacy_guard:1.3.4
  • GNU GNU Privacy Guard 1.4
    cpe:2.3:a:gnu:privacy_guard:1.4
  • GNU GNU Privacy Guard 1.4.1
    cpe:2.3:a:gnu:privacy_guard:1.4.1
  • GNU GNU Privacy Guard 1.4.2
    cpe:2.3:a:gnu:privacy_guard:1.4.2
  • GNU GNU Privacy Guard 1.4.2.1
    cpe:2.3:a:gnu:privacy_guard:1.4.2.1
  • GNU GNU Privacy Guard 1.4.2.2
    cpe:2.3:a:gnu:privacy_guard:1.4.2.2
  • GNU GNU Privacy Guard 1.4.3
    cpe:2.3:a:gnu:privacy_guard:1.4.3
  • GNU GNU Privacy Guard 1.4.4
    cpe:2.3:a:gnu:privacy_guard:1.4.4
  • GNU GNU Privacy Guard 1.4.5
    cpe:2.3:a:gnu:privacy_guard:1.4.5
  • GNU GNU Privacy Guard 1.9.10
    cpe:2.3:a:gnu:privacy_guard:1.9.10
  • GNU GNU Privacy Guard 1.9.15
    cpe:2.3:a:gnu:privacy_guard:1.9.15
  • GNU GNU Privacy Guard 1.9.20
    cpe:2.3:a:gnu:privacy_guard:1.9.20
  • GNU GNU Privacy Guard 2.0
    cpe:2.3:a:gnu:privacy_guard:2.0
  • GNU GNU Privacy Guard 2.0.1
    cpe:2.3:a:gnu:privacy_guard:2.0.1
  • cpe:2.3:a:gpg4win:gpg4win:1.0.7
    cpe:2.3:a:gpg4win:gpg4win:1.0.7
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:workstation
  • Red Hat Desktop 3.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:3.0
  • Red Hat Desktop 4.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:4.0
  • cpe:2.3:o:redhat:fedora_core:core6
    cpe:2.3:o:redhat:fedora_core:core6
  • cpe:2.3:o:redhat:fedora_core:core_5.0
    cpe:2.3:o:redhat:fedora_core:core_5.0
  • cpe:2.3:o:redhat:linux_advanced_workstation:2.1:-:itanium_processor
    cpe:2.3:o:redhat:linux_advanced_workstation:2.1:-:itanium_processor
  • cpe:2.3:o:rpath:linux:1
    cpe:2.3:o:rpath:linux:1
  • Slackware Linux 11.0
    cpe:2.3:o:slackware:slackware_linux:11.0
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.10
    cpe:2.3:o:ubuntu:ubuntu_linux:5.10
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.06
    cpe:2.3:o:ubuntu:ubuntu_linux:6.06
CVSS
Base: 10.0 (as of 07-12-2006 - 16:42)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-393-1.NASL
    description Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user's privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 27978
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27978
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : gnupg vulnerability (USN-393-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200612-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-200612-03 (GnuPG: Multiple vulnerabilities) Hugh Warrington has reported a boundary error in GnuPG, in the 'ask_outfile_name()' function from openfile.c: the make_printable_string() function could return a string longer than expected. Additionally, Tavis Ormandy of the Gentoo Security Team reported a design error in which a function pointer can be incorrectly dereferenced. Impact : A remote attacker could entice a user to interactively use GnuPG on a crafted file and trigger the boundary error, which will result in a buffer overflow. They could also entice a user to process a signed or encrypted file with gpg or gpgv, possibly called through another application like a mail client, to trigger the dereference error. Both of these vulnerabilities would result in the execution of arbitrary code with the permissions of the user running GnuPG. gpg-agent, gpgsm and other tools are not affected. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 23855
    published 2006-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23855
    title GLSA-200612-03 : GnuPG: Multiple vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4DB1669C858911DBAC4F02E081235DAB.NASL
    description Werner Koch reports : GnuPG uses data structures called filters to process OpenPGP messages. These filters are used in a similar way as a pipelines in the shell. For communication between these filters context structures are used. These are usually allocated on the stack and passed to the filter functions. At most places the OpenPGP data stream fed into these filters is closed before the context structure gets deallocated. While decrypting encrypted packets, this may not happen in all cases and the filter may use a void contest structure filled with garbage. An attacker may control this garbage. The filter context includes another context used by the low-level decryption to access the decryption algorithm. This is done using a function pointer. By carefully crafting an OpenPGP message, an attacker may control this function pointer and call an arbitrary function of the process. Obviously an exploit needs to prepared for a specific version, compiler, libc, etc to be successful - but it is definitely doable. Fixing this is obvious: We need to allocate the context on the heap and use a reference count to keep it valid as long as either the controlling code or the filter code needs it. We have checked all other usages of such a stack based filter contexts but fortunately found no other vulnerable places. This allows to release a relatively small patch. However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 23794
    published 2006-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23794
    title FreeBSD : gnupg -- remotely controllable function pointer (4db1669c-8589-11db-ac4f-02e081235dab)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1231.NASL
    description Several remote vulnerabilities have been discovered in the GNU privacy guard, a free PGP replacement, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-6169 Werner Koch discovered that a buffer overflow in a sanitising function may lead to execution of arbitrary code when running gnupg interactively. - CVE-2006-6235 Tavis Ormandy discovered that parsing a carefully crafted OpenPGP packet may lead to the execution of arbitrary code, as a function pointer of an internal structure may be controlled through the decryption routines.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 23792
    published 2006-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23792
    title Debian DSA-1231-1 : gnupg - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0754.NASL
    description Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 23798
    published 2006-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23798
    title RHEL 2.1 / 3 / 4 : gnupg (RHSA-2006:0754)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG-2355.NASL
    description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode. (CVE-2006-6169) - Specially crafted files could modify a function pointer and execute code this way. (CVE-2006-6235)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29449
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29449
    title SuSE 10 Security Update : gpg (ZYPP Patch Number 2355)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG-2353.NASL
    description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27246
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27246
    title openSUSE 10 Security Update : gpg (gpg-2353)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-228.NASL
    description A 'stack overwrite' vulnerability in GnuPG (gpg) allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory. Updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24611
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24611
    title Mandrake Linux Security Advisory : gnupg (MDKSA-2006:228)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0754.NASL
    description From Red Hat Security Advisory 2006:0754 : Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67429
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67429
    title Oracle Linux 4 : gnupg (ELSA-2006-0754)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG-2388.NASL
    description - Specially crafted files could overflow a buffer when gpg was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27247
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27247
    title openSUSE 10 Security Update : gpg (gpg-2388)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-340-01.NASL
    description New gnupg packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 24662
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24662
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 9.0 / 9.1 : gnupg (SSA:2006-340-01)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-393-2.NASL
    description USN-389-1 and USN-393-1 fixed vulnerabilities in gnupg. This update provides the corresponding updates for gnupg2. A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user's privileges. This vulnerability is not exposed when running gpg in batch mode. (CVE-2006-6169) Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user's privileges. (CVE-2006-6235). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 27979
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27979
    title Ubuntu 6.10 : gnupg2 vulnerabilities (USN-393-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG2-2352.NASL
    description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27251
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27251
    title openSUSE 10 Security Update : gpg2 (gpg2-2352)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GPG2-2354.NASL
    description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode. (CVE-2006-6169) - Specially crafted files could modify a function pointer and execute code this way. (CVE-2006-6235)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29452
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29452
    title SuSE 10 Security Update : gpg2 (ZYPP Patch Number 2354)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0754.NASL
    description Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 23789
    published 2006-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23789
    title CentOS 3 / 4 : gnupg (CESA-2006:0754)
oval via4
accepted 2013-04-29T04:12:38.470-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
family unix
id oval:org.mitre.oval:def:11245
status accepted
submitted 2010-07-09T03:56:16-04:00
title A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
version 23
redhat via4
advisories
bugzilla
id 218505
title CVE-2006-6169 GnuPG heap overflow
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • comment gnupg is earlier than 0:1.2.1-19
      oval oval:com.redhat.rhsa:tst:20060754002
    • comment gnupg is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20060754003
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • comment gnupg is earlier than 0:1.2.6-8
      oval oval:com.redhat.rhsa:tst:20060754005
    • comment gnupg is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20060754003
rhsa
id RHSA-2006:0754
released 2006-12-06
severity Important
title RHSA-2006:0754: gnupg security update (Important)
rpms
  • gnupg-0:1.2.1-19
  • gnupg-0:1.2.6-8
refmap via4
bid 21462
bugtraq
  • 20061206 GnuPG: remotely controllable function pointer [CVE-2006-6235]
  • 20061206 rPSA-2006-0227-1 gnupg
cert-vn VU#427009
confirm
debian DSA-1231
gentoo GLSA-200612-03
mandriva MDKSA-2006:228
mlist [gnupg-announce] GnuPG: remotely controllable function pointer [CVE-2006-6235]
openpkg OpenPKG-SA-2006.037
sectrack 1017349
secunia
  • 23245
  • 23250
  • 23255
  • 23259
  • 23269
  • 23284
  • 23290
  • 23299
  • 23303
  • 23329
  • 23335
  • 23513
  • 24047
sgi 20061201-01-P
suse
  • SUSE-SA:2006:075
  • SUSE-SR:2006:028
trustix 2006-0070
ubuntu
  • USN-393-1
  • USN-393-2
vupen ADV-2006-4881
xf gnupg-openpgp-code-execution(30711)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 07-03-2011 - 21:45
Published 07-12-2006 - 06:28
Last modified 17-10-2018 - 17:47
Back to Top