• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Focus On: Vista
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns

gnupg
200307-06
Published: 2003-07-19 16:15:43
Updated: 2003-07-19 16:15:43

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200307-06
- - - ---------------------------------------------------------------------

          PACKAGE : gnupg
          SUMMARY : gpg setgid
             DATE : 2003-07-19 14:27 UTC
          EXPLOIT : local
VERSIONS AFFECTED : <gnupg-1.2.2-r1
    FIXED VERSION : >=gnupg-1.2.2-r1
              CVE :

- - - ---------------------------------------------------------------------

gpg needs to be setuid to make use of protected memory space, however the
setgid bit allowed gpg user to overwrite goup root writable files and is
therefor unnecessary.

SOLUTION

It is recommended that all Gentoo Linux users who are running
app-crypt/gnupg upgrade to gnupg-1.2.2-r1 as follows

emerge sync
emerge gnupg
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz
taviso@gentoo.org
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/GVVqfT7nyhUpoZMRAuvoAJ4+sGRjZzE9N6CvSsZ/igqlEYOmrgCghtXb
mjW0tn0aoFEPuaOOVMv0cMk=
=09VQ
-----END PGP SIGNATURE-----