Login
Newsletter
Werbung

Sicherheit: Berechnung des geheimen Schlüssels in gnupg
Aktuelle Meldungen Distributionen
Name: Berechnung des geheimen Schlüssels in gnupg
ID: CSSA-2001-017.0
Distribution: Caldera
Plattformen: Caldera eDesktop 2.4, Caldera eBuilder, Caldera eServer 2.3.1, Caldera 2.3
Datum: Do, 24. Mai 2001, 13:00
Referenzen: Keine Angabe
Applikationen: The GNU Privacy Guard

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
Caldera Systems, Inc. Security Advisory

Subject: gnupg - private key retrieval vulnerability
Advisory number: CSSA-2001-017.0
Issue date: 2001 May, 15
Cross reference:
______________________________________________________________________________


1. Problem Description

Researchers from ICZ, a Czech information security company, have
discovered a vulnerability in the secret key handling of GnuPG.
Certain manipulations of the victim's secret key ring can result
in the disclosure of the private key when signing messages.

This requires the attacker to have write access to the secret key
ring of the victim, which usually would also allow him to just
modify the gpg binary or install snooping software, so the attack
itself is more of theoretical nature.

The technical background for this attack is explained in
* http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf (czech version)
* http://www.icz.cz/en/pdf/openPGP_attack_ENGvktr.pdf (english
* version)

2. Vulnerable Versions

System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
gnupg-1.0.5-3

OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder gnupg-1.0.5-3

OpenLinux eDesktop 2.4 All packages previous to
gnupg-1.0.5-3

3. Solution

Workaround

none

The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

4.2 Verification

084b2a3e1a352630a68108d47f09c286 RPMS/gnupg-1.0.5-3.i386.rpm
0335e8b1b0230ee58ae39c4603ce5d8d SRPMS/gnupg-1.0.5-3.src.rpm

4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv gnupg-*.i386.rpm

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

75b032166b0fb5a389aaf5b2e13f98e6 RPMS/gnupg-1.0.5-3.i386.rpm
0335e8b1b0230ee58ae39c4603ce5d8d SRPMS/gnupg-1.0.5-3.src.rpm

5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh gnupg-*i386.rpm

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

31c53f76dfe78419b6f1975bad2d89a4 RPMS/gnupg-1.0.5-3.i386.rpm
0335e8b1b0230ee58ae39c4603ce5d8d SRPMS/gnupg-1.0.5-3.src.rpm

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh gnupg-*i386.rpm

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 9581.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements:

Caldera International wishes to thank the ICZ team for spotting this
problem.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7AmVB18sy83A/qfwRAq59AKCats/5IlvHjPQEnDXGqApSvBvfhACeO3kU
0ZgH1MJp3WwwqvUXPjIrUl8=
=PJMT
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung