VuXML ID | Description |
34c93ae8-7e6f-11db-bf00-02e081235dab | gnupg -- buffer overflow
Werner Koch reports:
When running GnuPG interactively, special crafted
messages may be used to crash gpg or gpg2. Running gpg in
batch mode, as done by all software using gpg as a backend
(e.g. mailers), is not affected by this bug.
Exploiting this overflow seems to be possible.
gpg-agent, gpgsm, gpgv or other tools from the GnuPG
suite are not affected.
Discovery 2006-11-27 Entry 2006-11-27 gnupg
< 1.4.5_1
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html
|
8375a73f-01bf-11da-bc08-0001020eed82 | gnupg -- OpenPGP symmetric encryption vulnerability
Serge Mister and Robert Zuccherato reports that the OpenPGP
protocol is vulnerable to a cryptographic attack when using
symmetric encryption in an automated way.
David Shaw reports about the impact:
This attack, while very significant from a cryptographic
point of view, is not generally effective in the real
world. To be specific, unless you have your OpenPGP
program set up as part of an automated system to accept
encrypted messages, decrypt them, and then provide a
response to the submitter, then this does not affect you
at all.
Note that the fix in GnuPG does note completely
eliminate the potential problem:
These patches disable a portion of the OpenPGP protocol
that the attack is exploiting. This change should not be
user visible. With the patch in place, this attack will
not work using a public-key encrypted message. It will
still work using a passphrase-encrypted message.
Discovery 2005-02-08 Entry 2005-07-31 Modified 2007-04-23 gnupg
< 1.4.1
p5-Crypt-OpenPGP
le 1.03
pgp
ge 3.0
303094
CVE-2005-0366
http://eprint.iacr.org/2005/033
http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html
http://www.pgp.com/newsroom/ctocorner/openpgp.html
|
4db1669c-8589-11db-ac4f-02e081235dab | gnupg -- remotely controllable function pointer
Werner Koch reports:
GnuPG uses data structures called filters to process
OpenPGP messages. These filters are used in a similar
way as a pipelines in the shell. For communication
between these filters context structures are used. These
are usually allocated on the stack and passed to the
filter functions. At most places the OpenPGP data stream
fed into these filters is closed before the context
structure gets deallocated. While decrypting encrypted
packets, this may not happen in all cases and the filter
may use a void contest structure filled with garbage. An
attacker may control this garbage. The filter context
includes another context used by the low-level decryption
to access the decryption algorithm. This is done using a
function pointer. By carefully crafting an OpenPGP
message, an attacker may control this function pointer and
call an arbitrary function of the process. Obviously an
exploit needs to prepared for a specific version,
compiler, libc, etc to be successful - but it is
definitely doable.
Fixing this is obvious: We need to allocate the context on
the heap and use a reference count to keep it valid as
long as either the controlling code or the filter code
needs it.
We have checked all other usages of such a stack based
filter contexts but fortunately found no other vulnerable
places. This allows to release a relatively small patch.
However, for reasons of code cleanness and easier audits
we will soon start to change all these stack based filter
contexts to heap based ones.
Discovery 2006-12-04 Entry 2006-12-07 Modified 2006-12-15 gnupg
< 1.4.6
CVE-2006-6235
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000246.html
http://secunia.com/advisories/23245/
|
81313647-2d03-11d8-9355-0020ed76ef5a | ElGamal sign+encrypt keys created by GnuPG can be compromised
Any ElGamal sign+encrypt keys created by GnuPG contain a
cryptographic weakness that may allow someone to obtain
the private key. These keys should be considered
unusable and should be revoked.
The following summary was written by Werner Koch, GnuPG
author:
Phong Nguyen identified a severe bug in the way GnuPG
creates and uses ElGamal keys for signing. This is
a significant security failure which can lead to a
compromise of almost all ElGamal keys used for signing.
Note that this is a real world vulnerability which will
reveal your private key within a few seconds.
...
Please take immediate action and revoke your ElGamal
signing keys. Furthermore you should take whatever
measures necessary to limit the damage done for signed or
encrypted documents using that key.
Note that the standard keys as generated by GnuPG (DSA
and ElGamal encryption) as well as RSA keys are NOT
vulnerable. Note also that ElGamal signing keys cannot
be generated without the use of a special flag to enable
hidden options and even then overriding a warning message
about this key type. See below for details on how to
identify vulnerable keys.
Discovery 2003-11-27 Entry 2003-12-12 gnupg
ge 1.0.2 lt 1.2.3_4
CVE-2003-0971
http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html
|
948921ad-afbc-11da-bad9-02e081235dab | GnuPG does not detect injection of unsigned data
Werner Koch reports:
In the aftermath of the false positive signature
verfication bug (announced 2006-02-15) more thorough testing
of the fix has been done and another vulnerability has been
detected. This new problem affects the use of *gpg* for
verification of signatures which are _not_ detached
signatures. The problem also affects verification of
signatures embedded in encrypted messages; i.e. standard use
of gpg for mails.
Discovery 2006-03-09 Entry 2006-03-10 Modified 2006-03-11 gnupg
< 1.4.2.2
CVE-2006-0049
http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html
|
80771b89-f57b-11e2-bf21-b499baab0cbe | gnupg -- side channel attack on RSA secret keys
A Yarom and Falkner paper reports:
Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.
Discovery 2013-07-18 Entry 2013-07-25 Modified 2013-07-26 gnupg
< 1.4.14
http://eprint.iacr.org/2013/448
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
|
f900bda8-0472-11db-bbf7-000c6ec775d9 | gnupg -- user id integer overflow vulnerability
If GnuPG processes a userid with a very long packet length,
GnuPG can crash due to insufficient bounds check. This can
result in a denial-of-service condition or potentially
execution of arbitrary code with the privileges of the user
running GnuPG.
Discovery 2006-05-31 Entry 2006-06-25 gnupg
< 1.4.4
18554
CVE-2006-3082
http://marc.theaimsgroup.com/?l=gnupg-users&m=115124706210430
http://marc.theaimsgroup.com/?l=full-disclosure&m=114907659313360
http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/g10/parse-packet.c?rev=4157&r1=4141&r2=4157
|
749b5587-2da1-11e3-b1a9-b499baab0cbe | gnupg -- possible infinite recursion in the compressed packet parser
Werner Koch reports:
Special crafted input data may be used to cause a denial of service
against GPG (GnuPG's OpenPGP part) and some other OpenPGP
implementations. All systems using GPG to process incoming data are
affected..
Discovery 2013-10-05 Entry 2013-10-05 gnupg
< 1.4.15
ge 2.0.0 lt 2.0.22
CVE-2013-4402
|
2e5715f8-67f7-11e3-9811-b499baab0cbe | gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack
Werner Koch reports:
CVE-2013-4576 has been assigned to this security bug.
The paper describes two attacks. The first attack allows
to distinguish keys: An attacker is able to notice which key is
currently used for decryption. This is in general not a problem but
may be used to reveal the information that a message, encrypted to a
commonly not used key, has been received by the targeted machine. We
do not have a software solution to mitigate this attack.
The second attack is more serious. It is an adaptive
chosen ciphertext attack to reveal the private key. A possible
scenario is that the attacker places a sensor (for example a standard
smartphone) in the vicinity of the targeted machine. That machine is
assumed to do unattended RSA decryption of received mails, for example
by using a mail client which speeds up browsing by opportunistically
decrypting mails expected to be read soon. While listening to the
acoustic emanations of the targeted machine, the smartphone will send
new encrypted messages to that machine and re-construct the private
key bit by bit. A 4096 bit RSA key used on a laptop can be revealed
within an hour.
Discovery 2013-12-18 Entry 2013-12-18 Modified 2014-04-30 gnupg
< 1.4.16
gnupg1
< 1.4.16
CVE-2013-4576
http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html
|
63fe4189-9f97-11da-ac32-0001020eed82 | gnupg -- false positive signature verification
Werner Koch reports:
The Gentoo project identified a security related bug in
GnuPG. When using any current version of GnuPG for
unattended signature verification (e.g. by scripts and
mail programs), false positive signature verification of
detached signatures may occur.
This problem affects the tool *gpgv*, as well as using
"gpg --verify" to imitate gpgv, if only the exit code of
the process is used to decide whether a detached signature
is valid. This is a plausible mode of operation for
gpgv.
If, as suggested, the --status-fd generated output is
used to decide whether a signature is valid, no problem
exists. In particular applications making use of the
GPGME library[2] are not affected.
Discovery 2006-02-15 Entry 2006-02-17 gnupg
< 1.4.2.1
CVE-2006-0455
http://marc.theaimsgroup.com/?l=gnupg-devel&m=113999098729114
|
1c840eb9-fb32-11e3-866e-b499baab0cbe | gnupg -- possible DoS using garbled compressed data packets
Werner Koch reports:
This release includes a *security fix* to stop
a possible DoS using garbled compressed data packets which can be used
to put gpg into an infinite loop.
Discovery 2014-06-23 Entry 2014-06-23 gnupg1
< 1.4.17
gnupg
< 2.0.24
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html
|
30394651-13e1-11dd-bab7-0016179b2dd5 | gnupg -- memory corruption vulnerability
Secunia reports:
A vulnerability has been reported in GnuPG, which can potentially
be exploited to compromise a vulnerable system.
The vulnerability is caused due to an error when importing keys
with duplicated IDs. This can be exploited to cause a memory
corruption when importing keys via --refresh-keys or --import.
Successful exploitation potentially allows execution of arbitrary
code, but has not been proven yet.
Discovery 2008-03-19 Entry 2008-04-26 Modified 2008-04-29 gnupg
ge 1.0.0 lt 1.4.9
ge 2.0.0 lt 2.0.9
28487
CVE-2008-1530
http://www.ocert.org/advisories/ocert-2008-1.html
http://secunia.com/advisories/29568
https://bugs.g10code.com/gnupg/issue894
|
ed529baa-21c6-11db-b625-02e081235dab | gnupg -- 2 more possible memory allocation attacks
Author reports:
Fixed 2 more possible memory allocation attacks. They are
similar to the problem we fixed with 1.4.4. This bug can easily
be exploted for a DoS; remote code execution is not entirely
impossible.
Discovery 2006-08-01 Entry 2006-08-02 gnupg
< 1.4.5
http://lists.gnupg.org/pipermail/gnupg-announce/2006q3/000229.html
|
23f65f58-a261-11e9-b444-002590acae31 | GnuPG -- denial of service
From the GnuPG 2.2.17 changelog:
gpg: Ignore all key-signatures received from keyservers. This
change is required to mitigate a DoS due to keys flooded with
faked key-signatures.
Discovery 2019-07-03 Entry 2019-07-09 gnupg
< 2.2.17
https://dev.gnupg.org/T4606
https://dev.gnupg.org/T4607
|
7da0417f-6b24-11e8-84cc-002590acae31 | gnupg -- unsanitized output (CVE-2018-12020)
GnuPG reports:
GnuPG did not sanitize input file names, which may then be output to
the terminal. This could allow terminal control sequences or fake
status messages to be injected into the output.
Discovery 2018-06-07 Entry 2018-06-08 gnupg
< 2.2.8
gnupg1
< 1.4.23
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
CVE-2018-12020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
CVE-2017-7526
|