Debian: New gnupg packages fix arbitrary code execution
Summary
- --------------------------------------------------------------------------Debian Security Advisory DSA 1231-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff December 9th, 2006 http://www.debian.org/security/faq - --------------------------------------------------------------------------Package : gnupg Vulnerability : several Problem-Type : local(remote) Debian-specific: no CVE ID : CVE-2006-6169 CVE-2006-6235 Debian Bug : 401894 401898 401914 Several remote vulnerabilities have been discovered in the GNU privacy, a free PGP replacement, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-6169 Werner Koch discovered that a buffer overflow in a sanitising function may lead to execution of arbitrary code when running gnupg interactively. CVE-2006-6235 Tavis Ormandy discovered that parsing a carefully crafted OpenPGP packet may lead to the execution of arbitrary code, as a function pointer of an internal structure may be controlled through the decryption routines. For the stable distribution (sarge) these problems have been fixed in version 1.4.1-1.sarge6. For the upcoming stable distribution (etch) these problems have been fixed in version 1.4.6-1. For the unstable distribution (sid) these problems have been fixed in version 1.4.6-1. We recommend that you upgrade your gnupg packages. Upgrade Instructions - --------------------wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: Size/MD5 checksum: 680 f99d9936fdb3d87b37f719d4f507702a Size/MD5 checksum: 22889 219b13435d4594c530614638590b65d3 Size/MD5 checksum: 4059170 1cc77c6943baaa711222e954bbd785e5 Alpha architecture: Size/MD5 checksum: 2156230 950520b2391eb6444593c66a8e96d6c3 AMD64 architecture: Size/MD5 checksum: 1963738 589ab9ab433e000e919a38f558f54f5e ARM architecture: Size/MD5 checksum: 1899822 158ed8fe21da9e2b8c730b3b2acce9a8 HP Precision architecture: Size/MD5 checksum: 2004374 9daff80c38cf65bb299fb5ee370d44d6 Intel IA-32 architecture: Size/MD5 checksum: 1909194 8752d3578b55a7fd1535bba18ca0770c Intel IA-64 architecture: Size/MD5 checksum: 2325806 38fa7bb8def3d1a296aa6aa3432561a3 Motorola 680x0 architecture: Size/MD5 checksum: 1811222 f51182d8badb7c2b0ef42b78c71be16d Big endian MIPS architecture: Size/MD5 checksum: 2001184 cc087abacd572bed64a2ab191d863946 Little endian MIPS architecture: Size/MD5 checksum: 2007888 c42342dd898361ed9fcee1bdc8edc3e2 PowerPC architecture: Size/MD5 checksum: 1958036 ff8ee1d008561ce87732847e895024ec IBM S/390 architecture: Size/MD5 checksum: 1967406 693212d3c1b12bf7f6f204daa0531f6a Sun Sparc architecture: Size/MD5 checksum: 1897740 3821e5e9e69241324d781fe78ed1ace7 These files will probably be moved into the stable distribution on its next update. - ---------------------------------------------------------------------------------For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org
Sign up to get the latest security news affecting Linux and
open source delivered straight to your inbox
Powered By
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.