GnuPG contains a flaw that may allow a malicious user to overwrite group root writeable files. The issue is triggered when GnuPG has the setgid bit set. It is possible that the flaw may allow improper overwriting of files, resulting in a loss of integrity and/or availability.
Classification
Location:
Local Access Required
Attack Type:
Denial of Service,
Misconfiguration
Impact:
Loss of Integrity,
Loss of Availability
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
Technical
GnuPG must run with setuid privileges to be able to use protected memory space. However, on the Gentoo Linux distribution, GnuPG is incorrectly also running with the setgid bit, allowing it to be used to overwrite group root writeable files.
Solution
Upgrade to version 1.2.2-r1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
gentoo.org - Gentoo Technologies, Inc.