Security update for gpg
(Last modified: 10MAR2006)
solutions Security update for gpg SuSE Linux Maintenance Web (a78b647fae6fd03f11da9c538433f9c8)
Product(s): SUSE CORE 9 for x86
SUSE CORE 9 for Itanium Processor Family
SUSE CORE 9 for IBM POWER
SUSE CORE 9 for IBM S/390 31bit
SUSE CORE 9 for IBM zSeries 64bit
SUSE CORE 9 for AMD64 and Intel EM64T
SuSE Linux Desktop 1.0
SUSE LINUX Retail Solution 8
SuSE Linux School Server for i386
SuSE Linux Standard Server 8
SuSE Linux Enterprise Server 8 for x86
SuSE Linux Enterprise Server 8 for IPF
SuSE Linux Enterprise Server 8 for IBM iSeries and IBM pSeries
SuSE Linux Enterprise Server 8 for IBM S/390 and IBM zSeries
SuSE Linux Enterprise Server 8 for IBM zSeries
SuSE Linux Enterprise Server 8 for AMD64
Novell Linux Desktop 9 for x86
Novell Linux Desktop 9 for x86_64
Novell Linux POS 9
Open Enterprise Server
SuSE Linux Openexchange Server 4
The reason for this is that a .gpg or .asc file can contain multiple plaintext and signature streams and the handling of this stream is only possible when correctly following the gpg state.
The gpg "--verify" option has been changed to be way more strict than before and fail on files with multiple signatures/blocks to mitigate the problem of doing --verify and then -o extraction.
This problem could be used by an attacker to remotely execute code by using handcrafted YaST Online Patch files put onto a compromised YOU mirror server and waiting for the user to run YOU.
This problem is tracked by the Mitre CVE ID CVE-2006-0049.
rpm -Fvh gpg.rpm
Download Source Packages
Download the source code of the patches for maintained products.