From sup-info@opus.caldera.com Fri May 18 03:49:23 2001 From: Caldera Support Information To: bugtraq@securityfocus.com Date: Thu, 17 May 2001 11:53:16 -0600 Subject: Security update: [CSSA-2001-17.0] gnupg - private key retrieval vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: gnupg - private key retrieval vulnerability Advisory number: CSSA-2001-017.0 Issue date: 2001 May, 15 Cross reference: ______________________________________________________________________________ 1. Problem Description Researchers from ICZ, a Czech information security company, have discovered a vulnerability in the secret key handling of GnuPG. Certain manipulations of the victim's secret key ring can result in the disclosure of the private key when signing messages. This requires the attacker to have write access to the secret key ring of the victim, which usually would also allow him to just modify the gpg binary or install snooping software, so the attack itself is more of theoretical nature. The technical background for this attack is explained in * http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf (czech version) * http://www.icz.cz/en/pdf/openPGP_attack_ENGvktr.pdf (english * version) 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux 2.3 All packages previous to gnupg-1.0.5-3 OpenLinux eServer 2.3.1 All packages previous to and OpenLinux eBuilder gnupg-1.0.5-3 OpenLinux eDesktop 2.4 All packages previous to gnupg-1.0.5-3 3. Solution Workaround none The proper solution is to upgrade to the latest packages. 4. OpenLinux 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS 4.2 Verification 084b2a3e1a352630a68108d47f09c286 RPMS/gnupg-1.0.5-3.i386.rpm 0335e8b1b0230ee58ae39c4603ce5d8d SRPMS/gnupg-1.0.5-3.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fhv gnupg-*.i386.rpm 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification 75b032166b0fb5a389aaf5b2e13f98e6 RPMS/gnupg-1.0.5-3.i386.rpm 0335e8b1b0230ee58ae39c4603ce5d8d SRPMS/gnupg-1.0.5-3.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh gnupg-*i386.rpm 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification 31c53f76dfe78419b6f1975bad2d89a4 RPMS/gnupg-1.0.5-3.i386.rpm 0335e8b1b0230ee58ae39c4603ce5d8d SRPMS/gnupg-1.0.5-3.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh gnupg-*i386.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Report 9581. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 9. Acknowledgements: Caldera International wishes to thank the ICZ team for spotting this problem. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7AmVB18sy83A/qfwRAq59AKCats/5IlvHjPQEnDXGqApSvBvfhACeO3kU 0ZgH1MJp3WwwqvUXPjIrUl8= =PJMT -----END PGP SIGNATURE----- ^@