2024-01-13 15:55:18 YS 来源：ZONE.CI 全球网 0 阅读模式

> GnuPG内置签名验证漏洞

GnuPG内置签名验证漏洞

CNNVD-ID编号	CNNVD-200603-226	CVE编号	CVE-2006-0049
发布时间	2006-03-13	更新时间	2006-03-14
漏洞类型	设计错误	漏洞来源	Werner Koch [email protected] Tavis Ormandy [email protected]
危险等级	中危	威胁类型	远程
厂商	gnu

漏洞介绍

GnuPG是基于OpenPGP标准的PGP加密、解密、签名工具。

GnuPG在处理邮件内置的签名时存在验证漏洞，攻击者可能利用此漏洞在邮件中插入额外的数据。

GnuPG在提取已签名的数据时，数据可能前置或后缀了签名没有没有覆盖到的额外数据，这样攻击者就可以利用签名消息注入额外的任意数据。

漏洞补丁

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

GNU GNU Privacy Guard 1.0

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.0 .6

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.0.1

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.0.2

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.0.3

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.0.4

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU finger 1.0.7

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.0.7

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.2.1

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

Slackware gnupg-1.4.2.2-i386-1.tgz

Slackware 9.0:

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/g nupg-1.4.2.2-i386-1.tgz

GNU GNU Privacy Guard 1.2.2 -rc1

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.2.2 -r1

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU GNU Privacy Guard 1.2.3

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

Slackware gnupg-1.4.2.2-i486-1.tgz

Slackware 10.0:

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/ gnupg-1.4.2.2-i486-1.tgz

Slackware gnupg-1.4.2.2-i486-1.tgz

Slackware 9.1:

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/g nupg-1.4.2.2-i486-1.tgz

GNU GNU Privacy Guard 1.2.4

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

Mandriva gnupg-1.4.2.2-0.1.C30mdk.i586.rpm

Corporate 3.0:

http://www.mandriva.com/en/download

Mandriva gnupg-1.4.2.2-0.1.C30mdk.i586.rpm

Corporate 3.0:

http://wwwnew.mandriva.com/en/downloads/

Mandriva gnupg-1.4.2.2-0.1.C30mdk.src.rpm

Corporate 3.0:

http://www.mandriva.com/en/download

Mandriva gnupg-1.4.2.2-0.1.C30mdk.x86_64.rpm

Corporate 3.0:

http://www.mandriva.com/en/download

Mandriva gnupg-1.4.2.2-0.1.C30mdk.x86_64.rpm

Corporate 3.0:

http://wwwnew.mandriva.com/en/downloads/

Mandriva gnupg-1.4.2.2-0.1.M20mdk.i586.rpm

Corporate 3.0:

http://wwwnew.mandriva.com/en/downloads/

Slackware gnupg-1.4.2.2-i486-1.tgz

Slackware 10.0:

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/ gnupg-1.4.2.2-i486-1.tgz

SuSE gpg-1.2.4-68.13.i586.rpm

SUSE LINUX 9.1:

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpg-1.2.4-68.13.i 586.rpm

SuSE gpg-1.2.4-68.13.x86_64.rpm

SUSE LINUX 9.1:

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpg-1.2.4-68. 13.x86_64.rpm

Ubuntu gnupg_1.2.4-4ubuntu2.3_amd64.deb

Ubuntu 4.10 (Warty Warthog)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubunt u2.3_amd64.deb

Ubuntu gnupg_1.2.4-4ubuntu2.3_i386.deb

Ubuntu 4.10 (Warty Warthog)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubunt u2.3_i386.deb

Ubuntu gnupg_1.2.4-4ubuntu2.3_powerpc.deb

Ubuntu 4.10 (Warty Warthog)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubunt u2.3_powerpc.deb

Ubuntu gpgv-udeb_1.4.1-1ubuntu1.2_i386.udeb

Updated packages for Ubuntu 5.04:

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1u buntu1.2_i386.udeb

Ubuntu gpgv-udeb_1.4.1-1ubuntu1.2_powerpc.udeb

Updated packages for Ubuntu 5.04:

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1u buntu1.2_powerpc.udeb

GNU GNU Privacy Guard 1.2.6

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

Trustix gnupg-1.2.6-2tr.i586.rpm

TSL 2.2

ftp://ftp.trustix.org/pub/trustix/updates

Trustix gnupg-1.4.2.2-1tr.i586.rpm

TSL 3.0

ftp://ftp.trustix.org/pub/trustix/updates

Trustix gnupg-utils-1.2.6-2tr.i586.rpm

TSL 2.2

ftp://ftp.trustix.org/pub/trustix/updates

Trustix gnupg-utils-1.4.2.2-1tr.i586.rpm

TSL 3.0

ftp://ftp.trustix.org/pub/trustix/updates

GNU GNU Privacy Guard 1.3.3

GNU GNU Privacy Guard 1.4.2.2

http://www.gnupg.org/download/

GNU

参考网址

来源: BID

名称: 17058

链接：http://www.securityfocus.com/bid/17058

来源: BUGTRAQ

名称: 20060309 GnuPG does not detect injection of unsigned data

链接：http://www.securityfocus.com/archive/1/archive/1/427324/100/0/threaded

来源: OSVDB

名称: 23790

链接：http://www.osvdb.org/23790

来源: GENTOO

名称: GLSA-200603-08

链接：http://www.gentoo.org/security/en/glsa/glsa-200603-08.xml

来源: VUPEN

名称: ADV-2006-0915

链接：http://www.frsirt.com/english/advisories/2006/0915

来源: DEBIAN

名称: DSA-993

链接：http://www.debian.org/security/2006/dsa-993

来源: SECTRACK

名称: 1015749

链接：http://securitytracker.com/id?1015749

来源: SECUNIA

名称: 19173

链接：http://secunia.com/advisories/19173

来源: MLIST

名称: [gnupg-announce] 20060309 [Announce] GnuPG does not detect injection of unsigned data

链接：http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html

来源: UBUNTU

名称: USN-264-1

链接：http://www.ubuntulinux.org/support/documentation/usn/usn-264-1

来源: XF

名称: gnupg-nondetached-sig-verification(25184)

链接：http://xforce.iss.net/xforce/xfdb/25184

来源: TRUSTIX

名称: 2006-0014

链接：http://www.trustix.org/errata/2006/0014

来源: SLACKWARE

名称: SSA:2006-072-02

链接：http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.476477

来源: FEDORA

名称: FLSA-2006:185355

链接：http://www.securityfocus.com/archive/1/archive/1/433931/100/0/threaded

来源: REDHAT

名称: RHSA-2006:0266

链接：http://www.redhat.com/support/errata/RHSA-2006-0266.html

来源: FEDORA

名称: FEDORA-2006-147

链接：http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00021.html

来源: MANDRIVA

名称: MDKSA-2006:055

链接：http://www.mandriva.com/security/advisories?name=MDKSA-2006:055

来源: SREASON

名称: 568

链接：http://securityreason.com/securityalert/568

来源: SREASON

名称: 450

链接：http://securityreason.com/securityalert/450

来源: SECUNIA

名称: 19532

链接：http://secunia.com/advisories/19532

来源: SECUNIA

名称: 19287

链接：http://secunia.com/advisories/19287

来源: SECUNIA

名称: 19249

链接：http://secunia.com/advisories/19249

来源: SECUNIA

名称: 19244

链接：http://secunia.com/advisories/19244

来源: SECUNIA

名称: 19234

链接：http://secunia.com/advisories/19234

来源: SECUNIA

名称: 19232

链接：http://secunia.com/advisories/19232

来源: SECUNIA

名称: 19231

链接：http://secunia.com/advisories/19231

来源: SECUNIA

名称: 19203

链接：http://secunia.com/advisories/19203

来源: SECUNIA

名称: 19197

链接：http://secunia.com/advisories/19197

来源: SUSE

名称: SUSE-SA:2006:014

链接：http://lists.suse.de/archive/suse-security-announce/2006-Mar/0003.html

来源: MANDRIVA

名称: MDKSA-2006:055

链接：http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:055

受影响实体

Gnu Privacy_guard:1.0 Gnu Privacy_guard:1.0.1 Gnu Privacy_guard:1.0.2 Gnu Privacy_guard:1.0.3 Gnu Privacy_guard:1.0.3b

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-226

本站原创文章转载请注明文章出处及链接，谢谢合作！

ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带

ZONE.CI 全球网

安全领域涉猎者-乌云独行地带

ZONE.CI 全球网

Plugins

WordPress

Web前端

设计资源

GnuPG内置签名验证漏洞

GnuPG内置签名验证漏洞

漏洞介绍

漏洞补丁

参考网址

受影响实体

信息来源

txtForum ‘common.php’ PHP远程文件包含漏洞

GnuPG内置签名验证漏洞

Matt Johnston Dropbear SSH 远程拒绝服务漏洞

JiRo's Banner ‘Addadmin.ASP’授权绕过漏洞

ENet ‘protocol.c’多个拒绝服务漏洞

Apple Mac OS X Kernel MACH_MSG_SEND本地堆溢出漏洞

MailServer Remote管理端口拒绝服务漏洞

Nodez多跨站脚本攻击漏洞

Easy文件共享网站服务器多个输入验证漏洞

ADP Forum主题字段HTML注入漏洞

ZONE.CI 全球网