lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri Feb 17 15:11:13 2006
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-252-1] gnupg vulnerability

===========================================================
Ubuntu Security Notice USN-252-1	  February 17, 2006
gnupg vulnerability
CVE-2006-0455
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

gnupg

The problem can be corrected by upgrading the affected package to
version 1.2.4-4ubuntu2.2 (for ubuntu 4.10), 1.2.5-3ubuntu5.2 (for
Ubuntu 5.04), or 1.4.1-1ubuntu1.1 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Tavis Ormandy discovered a potential weakness in the signature
verification of gnupg. gpgv and gpg --verify returned a successful
exit code even if the checked file did not have any signature at all.
The recommended way of checking the result is to evaluate the status
messages, but some third party applications might just check the exit
code for determining whether or not a signature is valid. These
applications could be tricked into erroneously reporting a valid
signature.

Please note that this does not affect the Ubuntu package signature
checks.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2.diff.gz
      Size/MD5:    57697 7859d87efb668c1ffb53859c17e7200a
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2.dsc
      Size/MD5:      621 a601569ac7c80138bc56e9f9eb4fbecb
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4.orig.tar.gz
      Size/MD5:  3451202 adfab529010ba55533c8e538c0b042a2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2_amd64.deb
      Size/MD5:  1722418 530e590811bd954b24ff06ca0a690050

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2_i386.deb
      Size/MD5:  1667378 9456a90509b1c80c1723abd2bf2b9d07

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2_powerpc.deb
      Size/MD5:  1721708 f8bc943af454d4bcc6566340c6ef1a41

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2.diff.gz
      Size/MD5:    63903 154d68158685ee570446e0ea5bde2fd4
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2.dsc
      Size/MD5:      654 3101b98dfda3da22b8c013ff557fd95a
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5.orig.tar.gz
      Size/MD5:  3645308 9109ff94f7a502acd915a6e61d28d98a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2_amd64.deb
      Size/MD5:   805508 d370724a74d179da246fa48240f2907e
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.2_amd64.udeb
      Size/MD5:   146278 5f2a57a83c42c4053c974a5c8dbfbd8f

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2_i386.deb
      Size/MD5:   750320 da0f3f94a0f084a32be0bf1f17473a59
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.2_i386.udeb
      Size/MD5:   121234 210e76177b3737275909d31d6eeb0cc5

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2_powerpc.deb
      Size/MD5:   806078 1d625d6235b1659f86acae0d8efbd3c4
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.2_powerpc.udeb
      Size/MD5:   135284 7d46859278245aa9784d020d23ac1440

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1.diff.gz
      Size/MD5:    18014 e0c82f178dd412ea54607ca9cd03624b
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1.dsc
      Size/MD5:      684 c25b2397ca0e6af1201f840ba8e7e89b
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz
      Size/MD5:  4059170 1cc77c6943baaa711222e954bbd785e5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1_amd64.deb
      Size/MD5:  1135890 fc1cab421bd3defb1587d8d49741cc61
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.1_amd64.udeb
      Size/MD5:   152140 45911ed13c75e1320633487e001a2d57

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1_i386.deb
      Size/MD5:  1043962 91336db0bac738815ac0d4de7094fdb0
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.1_i386.udeb
      Size/MD5:   130578 49c6cbdf3aed81683a346d0eee7f457b

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1_powerpc.deb
      Size/MD5:  1119074 deea65c63af7e01c9675a2ff597ff3ba
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.1_powerpc.udeb
      Size/MD5:   140072 f147e53fb3beb6a19f362271d08d31e0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060217/1fcdd7a7/attachment.bin

Powered by blists - more mailing lists