__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN GnuPG Security Update [Red Hat RHSA-2007:0106-2] March 6, 2007 20:00 GMT Number R-172 [REVISED 15 Mar 2007] [REVISED 23 Mar 2007] [REVISED 31 Jul 2007] ______________________________________________________________________________ PROBLEM: A number of applications that make use of GnuPG are prone to vulnerability involving incorrect verification of signatures and encryption. PLATFORM: Red Hat Desktop (v. 3, v.4) Red Hat Enterprise Linux AS, ES, WS (v.2.1, v.3, v.4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Linux Advance Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.1 (sarge) SGI Advanced Linux Environment 3 for ProPack 3 DAMAGE: An attacker could add arbitrary content to a signed message in such a way that a receiver of the message would not be able to distinguish between the properly signed parts or a message and the forged, unsigned, parts. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. An attacker could add arbitrary content to a ASSESSMENT: signed message in such a way that a receiver of the message would not be able to distinguish between the properly signed parts or a message and the forged, unsigned, parts. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-172.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0106.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2007-0107.html http://www.debian.org/security/2007/dsa-1266 http://www.sgi.com/support/security/advisories.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-1263 ______________________________________________________________________________ REVISION HISTORY: 03/15/2007 - revised R-172 to add a link to Red Hat RHSA-2007:0107-2 for Red Hat Enterprise Linux (v. 5 server) and Red Hat Enterprise Linux Desktop (v. 5 client). 03/23/2007 - revised R-172 to add a link to Debian Security Advisory DSA-1266-1 for Debian GNU/Linux 3.1 (sarge). 07/31/2007 - revised R-172 to add a link to SGI Security Advisory 20070301-01-P for SGI Advanced Linux Environment 3 for ProPack 3. [***** Start Red Hat RHSA-2007:0106-2 *****] Important: gnupg security update Advisory: RHSA-2007:0106-2 Type: Security Advisory Severity: Important Issued on: 2007-03-06 Last updated on: 2007-03-06 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor OVAL: com.redhat.rhsa-20070106.xml CVEs (cve.mitre.org): CVE-2007-1263 Details Updated GnuPG packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Gerardo Richarte discovered that a number of applications that make use of GnuPG are prone to a vulnerability involving incorrect verification of signatures and encryption. An attacker could add arbitrary content to a signed message in such a way that a receiver of the message would not be able to distinguish between the properly signed parts of a message and the forged, unsigned, parts. (CVE-2007-1263) Whilst this is not a vulnerability in GnuPG itself, the GnuPG team have produced a patch to protect against messages with multiple plaintext packets. Users should update to these erratum packages which contain the backported patch for this issue. Red Hat would like to thank Core Security Technologies for reporting this issue. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: gnupg-1.2.1-20.src.rpm b58f2218e4869dd8b945f86b739d51f2 IA-32: gnupg-1.2.1-20.i386.rpm 7567e3eeca9c11a2b0c33bf2e1c052f3 x86_64: gnupg-1.2.1-20.x86_64.rpm ca2ba72abdb891c81a8e0afcc489771d Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: gnupg-1.2.6-9.src.rpm 66d7a97de1bf7d07f5bc403afb08b5a1 IA-32: gnupg-1.2.6-9.i386.rpm ff1fcc16803666fa6bb3778b8c765024 x86_64: gnupg-1.2.6-9.x86_64.rpm 4f0348791dde513a605037eab21b0989 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gnupg-1.0.7-21.src.rpm f2de74bb383030835808bf772b778d03 IA-32: gnupg-1.0.7-21.i386.rpm bdefd567317e73068bc7d8548eef9b62 IA-64: gnupg-1.0.7-21.ia64.rpm 7d9c9f00a769a8bc3ad6cb7d9c873405 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: gnupg-1.2.1-20.src.rpm b58f2218e4869dd8b945f86b739d51f2 IA-32: gnupg-1.2.1-20.i386.rpm 7567e3eeca9c11a2b0c33bf2e1c052f3 IA-64: gnupg-1.2.1-20.ia64.rpm 9a74ed7d363226b9b314500427a9639e PPC: gnupg-1.2.1-20.ppc.rpm 93c308be7bc7625938b63e350d697be0 s390: gnupg-1.2.1-20.s390.rpm 993e706b31617cf75c0a574c1a16f130 s390x: gnupg-1.2.1-20.s390x.rpm bb4efa201f02ada7389c237fedea3499 x86_64: gnupg-1.2.1-20.x86_64.rpm ca2ba72abdb891c81a8e0afcc489771d Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: gnupg-1.2.6-9.src.rpm 66d7a97de1bf7d07f5bc403afb08b5a1 IA-32: gnupg-1.2.6-9.i386.rpm ff1fcc16803666fa6bb3778b8c765024 IA-64: gnupg-1.2.6-9.ia64.rpm b86560b6a5ba00907fbc78bef4f0da72 PPC: gnupg-1.2.6-9.ppc.rpm 5a0664072856b2ac8afc817848b0d4c7 s390: gnupg-1.2.6-9.s390.rpm 8f0f1c9e231b2010f7c48dd4efe74c39 s390x: gnupg-1.2.6-9.s390x.rpm 930d4d567445b86111e21109f14635f1 x86_64: gnupg-1.2.6-9.x86_64.rpm 4f0348791dde513a605037eab21b0989 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gnupg-1.0.7-21.src.rpm f2de74bb383030835808bf772b778d03 IA-32: gnupg-1.0.7-21.i386.rpm bdefd567317e73068bc7d8548eef9b62 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: gnupg-1.2.1-20.src.rpm b58f2218e4869dd8b945f86b739d51f2 IA-32: gnupg-1.2.1-20.i386.rpm 7567e3eeca9c11a2b0c33bf2e1c052f3 IA-64: gnupg-1.2.1-20.ia64.rpm 9a74ed7d363226b9b314500427a9639e x86_64: gnupg-1.2.1-20.x86_64.rpm ca2ba72abdb891c81a8e0afcc489771d Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: gnupg-1.2.6-9.src.rpm 66d7a97de1bf7d07f5bc403afb08b5a1 IA-32: gnupg-1.2.6-9.i386.rpm ff1fcc16803666fa6bb3778b8c765024 IA-64: gnupg-1.2.6-9.ia64.rpm b86560b6a5ba00907fbc78bef4f0da72 x86_64: gnupg-1.2.6-9.x86_64.rpm 4f0348791dde513a605037eab21b0989 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gnupg-1.0.7-21.src.rpm f2de74bb383030835808bf772b778d03 IA-32: gnupg-1.0.7-21.i386.rpm bdefd567317e73068bc7d8548eef9b62 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: gnupg-1.2.1-20.src.rpm b58f2218e4869dd8b945f86b739d51f2 IA-32: gnupg-1.2.1-20.i386.rpm 7567e3eeca9c11a2b0c33bf2e1c052f3 IA-64: gnupg-1.2.1-20.ia64.rpm 9a74ed7d363226b9b314500427a9639e x86_64: gnupg-1.2.1-20.x86_64.rpm ca2ba72abdb891c81a8e0afcc489771d Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: gnupg-1.2.6-9.src.rpm 66d7a97de1bf7d07f5bc403afb08b5a1 IA-32: gnupg-1.2.6-9.i386.rpm ff1fcc16803666fa6bb3778b8c765024 IA-64: gnupg-1.2.6-9.ia64.rpm b86560b6a5ba00907fbc78bef4f0da72 x86_64: gnupg-1.2.6-9.x86_64.rpm 4f0348791dde513a605037eab21b0989 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: gnupg-1.0.7-21.src.rpm f2de74bb383030835808bf772b778d03 IA-64: gnupg-1.0.7-21.ia64.rpm 7d9c9f00a769a8bc3ad6cb7d9c873405 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 230456 - CVE-2007-1263 gnupg signed message spoofing References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1263 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0106-2 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-160: McAfee Virex Vulnerability R-161: Stack Overflow in Third-Party ActiveX Controls R-162: Mozilla Firefox has a Memory Corruption R-163: Mozilla Crashes with Evidence of Memory Corruption R-165: Firefox Security Update R-166: Cisco Catalyst 6000, 6500 Series and Cisco 7600 Series NAM (Network Analysis Module) Vulnerability R-168: Vulnerability in Citrix Presentation Server Client for Windows R-169: EMC NetWorker Management Console Vulnerability R-170: Symantec Mail Security for SMTP Vulnerability R-171: Apple QuickTime 7.1.5