{"vuid":"VU#233200","idnumber":"233200","name":"GnuPG contains format-string vulnerability in handling of encrypted data filename","keywords":["GnuPG","GPG","ttyio.c","tty_printf","do_get"],"overview":"Some versions of Gnu Privacy Guard (GPG) contain a format-string vulnerability from improper handling of filenames when decrypting files.","clean_desc":"GPG is an OpenPGP-compliant alternative to PGP to protect electronic communications using public-key cryptography. Versions of GPG prior to 1.0.6 contain a format-string vulnerability. The GPG source includes a function named tty_printf(), which expects as parameters -- much like the standard C library function printf() -- a format string followed by data values as indicated in the format string. The do_get() function in file util/ttyio.c of the GPG source code makes a call to tty_printf(), passing the filename as the format string instead of passing a constant format string followed by a pointer to the filename.","impact":"Attackers can craft a filename for an encrypted file that will cause GPG to execute arbitrary code when the file is decrypted by the recipient, with the privileges of the recipient user.","resolution":"Upgrade GPG to version 1.0.6, available from: http://www.gnupg.org","workarounds":"Until a patch can be applied, do not decrypt messages from untrusted sources with GPG.","sysaffected":"","thanks":"Thanks to fish stiqz for reporting this vulnerability.","author":"This document was written by Shawn Van Ittersum.","public":["h","t","t","p",":","/","/","w","w","w",".","s","e","c","u","r","i","t","y","f","o","c","u","s",".","c","o","m","/","b","i","d","/","2","7","9","7"],"cveids":["CVE-2001-0522"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-01-30T23:54:07Z","publicdate":"2001-05-29T00:00:00Z","datefirstpublished":"2002-03-29T22:58:53Z","dateupdated":"2002-03-29T22:59:03Z","revision":9,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"9","cam_population":"10","cam_impact":"6","cam_easeofexploitation":"12","cam_attackeraccessrequired":"18","cam_scorecurrent":"5.832","cam_scorecurrentwidelyknown":"7.047","cam_scorecurrentwidelyknownexploited":"11.907","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":5.832,"vulnote":null}