blob: 03090349b93773f078bd078273a21ea6cfb37f49 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200608-08">
<title>GnuPG: Integer overflow vulnerability</title>
GnuPG is vulnerable to an integer overflow that could lead to the execution
of arbitrary code.
<product type="ebuild">gnupg</product>
<announced>August 05, 2006</announced>
<revised>August 08, 2006: 02</revised>
<package name="app-crypt/gnupg" auto="yes" arch="*">
<unaffected range="ge">1.4.5</unaffected>
<vulnerable range="lt">1.4.5</vulnerable>
The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite
of cryptographic software.
Evgeny Legerov discovered a vulnerability in GnuPG that when certain
packets are handled an integer overflow may occur.
<impact type="high">
By sending a specially crafted email to a user running an affected
version of GnuPG, a remote attacker could possibly execute arbitrary
code with the permissions of the user running GnuPG.
There is no known workaround at this time.
All GnuPG users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;=app-crypt/gnupg-1.4*&quot;</code>
<uri link="">CVE-2006-3746</uri>
<metadata tag="requester" timestamp="Wed, 02 Aug 2006 13:24:55 +0000">
<metadata tag="submitter" timestamp="Wed, 02 Aug 2006 13:48:08 +0000">
<metadata tag="bugReady" timestamp="Sat, 05 Aug 2006 11:09:20 +0000">