Vulnerabilities > CVE-2006-6169 - Remote Buffer Overflow vulnerability in Gnupg 1.4/2.0
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2006-1405.NASL description This update upgrades GnuPG to version 1.4.6, incorporating fixes for a potential buffer overflow (CVE-2006-6169) and referencing of a stack variable after it passes out of scope (CVE-2006-6235). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24066 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24066 title Fedora Core 5 : gnupg-1.4.6-1 (2006-1405) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2006-1405. # include("compat.inc"); if (description) { script_id(24066); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_bugtraq_id(21306, 21462); script_xref(name:"FEDORA", value:"2006-1405"); script_name(english:"Fedora Core 5 : gnupg-1.4.6-1 (2006-1405)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update upgrades GnuPG to version 1.4.6, incorporating fixes for a potential buffer overflow (CVE-2006-6169) and referencing of a stack variable after it passes out of scope (CVE-2006-6235). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2006-December/001063.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?289bba27" ); script_set_attribute( attribute:"solution", value:"Update the affected gnupg and / or gnupg-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gnupg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gnupg-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC5", reference:"gnupg-1.4.6-1")) flag++; if (rpm_check(release:"FC5", reference:"gnupg-debuginfo-1.4.6-1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnupg / gnupg-debuginfo"); }NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-340-01.NASL description New gnupg packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24662 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24662 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 9.0 / 9.1 : gnupg (SSA:2006-340-01) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-393-2.NASL description USN-389-1 and USN-393-1 fixed vulnerabilities in gnupg. This update provides the corresponding updates for gnupg2. A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 27979 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27979 title Ubuntu 6.10 : gnupg2 vulnerabilities (USN-393-2) NASL family SuSE Local Security Checks NASL id SUSE_GPG2-2354.NASL description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode. (CVE-2006-6169) - Specially crafted files could modify a function pointer and execute code this way. (CVE-2006-6235) last seen 2020-06-01 modified 2020-06-02 plugin id 29452 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29452 title SuSE 10 Security Update : gpg2 (ZYPP Patch Number 2354) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-389-1.NASL description A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 27972 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27972 title Ubuntu 5.10 / 6.06 LTS / 6.10 : gnupg vulnerability (USN-389-1) NASL family SuSE Local Security Checks NASL id SUSE_GPG-2388.NASL description - Specially crafted files could overflow a buffer when gpg was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235). last seen 2020-06-01 modified 2020-06-02 plugin id 27247 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27247 title openSUSE 10 Security Update : gpg (gpg-2388) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0754.NASL description Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 23798 published 2006-12-11 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23798 title RHEL 2.1 / 3 / 4 : gnupg (RHSA-2006:0754) NASL family SuSE Local Security Checks NASL id SUSE_GPG-2353.NASL description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235). last seen 2020-06-01 modified 2020-06-02 plugin id 27246 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27246 title openSUSE 10 Security Update : gpg (gpg-2353) NASL family SuSE Local Security Checks NASL id SUSE_GPG2-2352.NASL description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode (CVE-2006-6169). - Specially crafted files could modify a function pointer and execute code this way (CVE-2006-6235). last seen 2020-06-01 modified 2020-06-02 plugin id 27251 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27251 title openSUSE 10 Security Update : gpg2 (gpg2-2352) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2006-0754.NASL description From Red Hat Security Advisory 2006:0754 : Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67429 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67429 title Oracle Linux 4 : gnupg (ELSA-2006-0754) NASL family SuSE Local Security Checks NASL id SUSE_GPG-2355.NASL description - Specially crafted files could overflow a buffer when gpg2 was used in interactive mode. (CVE-2006-6169) - Specially crafted files could modify a function pointer and execute code this way. (CVE-2006-6235) last seen 2020-06-01 modified 2020-06-02 plugin id 29449 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29449 title SuSE 10 Security Update : gpg (ZYPP Patch Number 2355) NASL family Fedora Local Security Checks NASL id FEDORA_2006-1406.NASL description This update upgrades GnuPG to version 1.4.6, incorporating fixes for a potential buffer overflow (CVE-2006-6169) and referencing of a stack variable after it passes out of scope (CVE-2006-6235). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24067 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24067 title Fedora Core 6 : gnupg-1.4.6-2 (2006-1406) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0754.NASL description Updated GnuPG packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 23789 published 2006-12-11 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23789 title CentOS 3 / 4 : gnupg (CESA-2006:0754) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-221.NASL description Buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages that cause the make_printable_string function to return a longer string than expected while constructing a prompt. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24605 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24605 title Mandrake Linux Security Advisory : gnupg (MDKSA-2006:221) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1231.NASL description Several remote vulnerabilities have been discovered in the GNU privacy guard, a free PGP replacement, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-6169 Werner Koch discovered that a buffer overflow in a sanitising function may lead to execution of arbitrary code when running gnupg interactively. - CVE-2006-6235 Tavis Ormandy discovered that parsing a carefully crafted OpenPGP packet may lead to the execution of arbitrary code, as a function pointer of an internal structure may be controlled through the decryption routines. last seen 2020-06-01 modified 2020-06-02 plugin id 23792 published 2006-12-11 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23792 title Debian DSA-1231-1 : gnupg - several vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200612-03.NASL description The remote host is affected by the vulnerability described in GLSA-200612-03 (GnuPG: Multiple vulnerabilities) Hugh Warrington has reported a boundary error in GnuPG, in the last seen 2020-06-01 modified 2020-06-02 plugin id 23855 published 2006-12-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23855 title GLSA-200612-03 : GnuPG: Multiple vulnerabilities
Oval
| accepted | 2013-04-29T04:12:31.217-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:11228 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
Statements
| contributor | Joshua Bressers |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat does not consider this bug to be a security flaw. In order for this flaw to be exploited, a user would be required to enter shellcode into an interactive GnuPG session. Red Hat considers this to be an unlikely scenario. Red Hat Enterprise Linux 5 contains a backported patch to address this issue. |
References
- ftp://patches.sgi.com/support/free/security/advisories/20061201-01-P.asc
- http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html
- http://lists.suse.com/archive/suse-security-announce/2006-Dec/0004.html
- http://secunia.com/advisories/23094
- http://secunia.com/advisories/23110
- http://secunia.com/advisories/23146
- http://secunia.com/advisories/23161
- http://secunia.com/advisories/23171
- http://secunia.com/advisories/23250
- http://secunia.com/advisories/23269
- http://secunia.com/advisories/23284
- http://secunia.com/advisories/23299
- http://secunia.com/advisories/23303
- http://secunia.com/advisories/23513
- http://secunia.com/advisories/24047
- http://security.gentoo.org/glsa/glsa-200612-03.xml
- http://securityreason.com/securityalert/1927
- http://securitytracker.com/id?1017291
- http://support.avaya.com/elmodocs2/security/ASA-2007-047.htm
- http://www.debian.org/security/2006/dsa-1231
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:221
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.037.html
- http://www.redhat.com/support/errata/RHSA-2006-0754.html
- http://www.securityfocus.com/archive/1/452829/100/0/threaded
- http://www.securityfocus.com/archive/1/453253/100/100/threaded
- http://www.securityfocus.com/bid/21306
- http://www.trustix.org/errata/2006/0068/
- http://www.ubuntu.com/usn/usn-389-1
- http://www.ubuntu.com/usn/usn-393-2
- http://www.vupen.com/english/advisories/2006/4736
- https://bugs.g10code.com/gnupg/issue728
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30550
- https://issues.rpath.com/browse/RPL-826
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11228