Vulnerabilities > CVE-2006-3746 - Unspecified vulnerability in Gnupg 1.4.4
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | GnuPG 1.4/1.9 Parse_Comment Remote Buffer Overflow Vulnerability. CVE-2006-3746 . Dos exploit for linux platform |
id | EDB-ID:28257 |
last seen | 2016-02-03 |
modified | 2006-07-22 |
published | 2006-07-22 |
reporter | Evgeny Legerov |
source | https://www.exploit-db.com/download/28257/ |
title | GnuPG 1.4/1.9 Parse_Comment Remote Buffer Overflow Vulnerability |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-332-1.NASL description Evgeny Legerov discovered that gnupg did not sufficiently check the validity of the comment and a control field. Specially crafted GPG data could cause a buffer overflow. This could be exploited to execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 27911 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27911 title Ubuntu 5.04 / 5.10 / 6.06 LTS : gnupg vulnerability (USN-332-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-332-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(27911); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2006-3746"); script_bugtraq_id(19110); script_xref(name:"USN", value:"332-1"); script_name(english:"Ubuntu 5.04 / 5.10 / 6.06 LTS : gnupg vulnerability (USN-332-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Evgeny Legerov discovered that gnupg did not sufficiently check the validity of the comment and a control field. Specially crafted GPG data could cause a buffer overflow. This could be exploited to execute arbitrary code with the user's privileges if an attacker can trick an user into processing a malicious encrypted/signed document with gnupg. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/332-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected gnupg package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gnupg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.04|5\.10|6\.06)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.04 / 5.10 / 6.06", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.04", pkgname:"gnupg", pkgver:"1.2.5-3ubuntu5.5")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"gnupg", pkgver:"1.4.1-1ubuntu1.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"gnupg", pkgver:"1.4.2.2-1ubuntu2.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnupg"); }
NASL family SuSE Local Security Checks NASL id SUSE_GPG-1955.NASL description This update of gpg fixes an segmentation fault when using the--no-armor option. This failure leads to a denial-of-service attack and may be used execute arbitrary code. (CVE-2006-3746) last seen 2020-06-01 modified 2020-06-02 plugin id 27245 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27245 title openSUSE 10 Security Update : gpg (gpg-1955) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update gpg-1955. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27245); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-3746"); script_name(english:"openSUSE 10 Security Update : gpg (gpg-1955)"); script_summary(english:"Check for the gpg-1955 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of gpg fixes an segmentation fault when using the--no-armor option. This failure leads to a denial-of-service attack and may be used execute arbitrary code. (CVE-2006-3746)" ); script_set_attribute(attribute:"solution", value:"Update the affected gpg package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gpg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"gpg-1.4.2-23.7") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gpg"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2006-0615.NASL description From Red Hat Security Advisory 2006:0615 : Updated GnuPG packages that fix a security issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. An integer overflow flaw was found in GnuPG. An attacker could create a carefully crafted message packet with a large length that could cause GnuPG to crash or possibly overwrite memory when opened. (CVE-2006-3746) All users of GnuPG are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67400 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67400 title Oracle Linux 4 : gnupg (ELSA-2006-0615) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2006:0615 and # Oracle Linux Security Advisory ELSA-2006-0615 respectively. # include("compat.inc"); if (description) { script_id(67400); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:06"); script_cve_id("CVE-2006-3746"); script_bugtraq_id(19110); script_xref(name:"RHSA", value:"2006:0615"); script_name(english:"Oracle Linux 4 : gnupg (ELSA-2006-0615)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2006:0615 : Updated GnuPG packages that fix a security issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. An integer overflow flaw was found in GnuPG. An attacker could create a carefully crafted message packet with a large length that could cause GnuPG to crash or possibly overwrite memory when opened. (CVE-2006-3746) All users of GnuPG are advised to upgrade to these updated packages, which contain a backported patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2006-December/000029.html" ); script_set_attribute(attribute:"solution", value:"Update the affected gnupg package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:gnupg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/28"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL4", cpu:"i386", reference:"gnupg-1.2.6-6")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"gnupg-1.2.6-6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnupg"); }
NASL family SuSE Local Security Checks NASL id SUSE_GPG2-1956.NASL description This update of gpg2 fixes an segmentation fault when using the--no-armor option. This failure leads to a denial-of-service attack and may be used execute arbitrary code. (CVE-2006-3746) last seen 2020-06-01 modified 2020-06-02 plugin id 27250 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27250 title openSUSE 10 Security Update : gpg2 (gpg2-1956) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0615.NASL description Updated GnuPG packages that fix a security issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. An integer overflow flaw was found in GnuPG. An attacker could create a carefully crafted message packet with a large length that could cause GnuPG to crash or possibly overwrite memory when opened. (CVE-2006-3746) All users of GnuPG are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22151 published 2006-08-04 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22151 title RHEL 2.1 / 3 / 4 : gnupg (RHSA-2006:0615) NASL family SuSE Local Security Checks NASL id SUSE_GPG-1959.NASL description This update of gpg fixes an segmentation fault when using the--no-armor option. This failure leads to a denial-of-service attack and may be used execute arbitrary code. (CVE-2006-3746) last seen 2020-06-01 modified 2020-06-02 plugin id 29448 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29448 title SuSE 10 Security Update : gpg (ZYPP Patch Number 1959) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200608-08.NASL description The remote host is affected by the vulnerability described in GLSA-200608-08 (GnuPG: Integer overflow vulnerability) Evgeny Legerov discovered a vulnerability in GnuPG that when certain packets are handled an integer overflow may occur. Impact : By sending a specially crafted email to a user running an affected version of GnuPG, a remote attacker could possibly execute arbitrary code with the permissions of the user running GnuPG. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 22166 published 2006-08-07 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22166 title GLSA-200608-08 : GnuPG: Integer overflow vulnerability NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1141.NASL description Evgeny Legerov discovered that overly large comments can crash gnupg, the GNU privacy guard - a free PGP replacement, which is also present in the development branch. last seen 2020-06-01 modified 2020-06-02 plugin id 22683 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22683 title Debian DSA-1141-1 : gnupg2 - integer overflow NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0615.NASL description Updated GnuPG packages that fix a security issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. An integer overflow flaw was found in GnuPG. An attacker could create a carefully crafted message packet with a large length that could cause GnuPG to crash or possibly overwrite memory when opened. (CVE-2006-3746) All users of GnuPG are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22164 published 2006-08-07 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22164 title CentOS 3 / 4 : gnupg (CESA-2006:0615) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-141.NASL description An integer overflow vulnerability was discovered in gnupg where an attacker could create a carefully-crafted message packet with a large length that could cause gnupg to crash or possibly overwrite memory when opened. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 23890 published 2006-12-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23890 title Mandrake Linux Security Advisory : gnupg (MDKSA-2006:141) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1140.NASL description Evgeny Legerov discovered that overly large comments can crash gnupg, the GNU privacy guard - a free PGP replacement. last seen 2020-06-01 modified 2020-06-02 plugin id 22682 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22682 title Debian DSA-1140-1 : gnupg - integer overflow
Oval
accepted | 2013-04-29T04:13:26.007-04:00 | ||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||
contributors |
| ||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||
description | Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message. | ||||||||||||||||||||
family | unix | ||||||||||||||||||||
id | oval:org.mitre.oval:def:11347 | ||||||||||||||||||||
status | accepted | ||||||||||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
title | Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message. | ||||||||||||||||||||
version | 26 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://lists.immunitysec.com/pipermail/dailydave/2006-July/003354.html
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200502
- http://www.securityfocus.com/bid/19110
- http://www.gossamer-threads.com/lists/gnupg/devel/37623
- http://www.redhat.com/support/errata/RHSA-2006-0615.html
- http://www.debian.org/security/2006/dsa-1140
- http://security.gentoo.org/glsa/glsa-200608-08.xml
- http://www.osvdb.org/27664
- http://secunia.com/advisories/21306
- http://secunia.com/advisories/21329
- http://secunia.com/advisories/21378
- http://www.debian.org/security/2006/dsa-1141
- http://securitytracker.com/id?1016622
- http://secunia.com/advisories/21351
- http://secunia.com/advisories/21297
- http://secunia.com/advisories/21333
- http://secunia.com/advisories/21326
- http://issues.rpath.com/browse/RPL-560
- http://support.avaya.com/elmodocs2/security/ASA-2006-164.htm
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:141
- http://secunia.com/advisories/21300
- http://secunia.com/advisories/21522
- http://secunia.com/advisories/21524
- http://www.novell.com/linux/security/advisories/2006_20_sr.html
- ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P
- http://secunia.com/advisories/21598
- http://lwn.net/Alerts/194228/
- http://secunia.com/advisories/21346
- http://secunia.com/advisories/21467
- http://www.ubuntu.com/usn/usn-332-1
- http://www.vupen.com/english/advisories/2006/3123
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28220
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11347
- http://www.securityfocus.com/archive/1/442621/100/100/threaded
- http://www.securityfocus.com/archive/1/442012/100/0/threaded
- http://bugs.debian.org/cgi-bin/bugreport.cgi/gnupg.CVE-2006-3746.diff?bug=381204%3Bmsg=15%3Batt=1