| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060220161452.GB28569__42311.9058054455$1140566591$gmane$org@suse.de>
Date: Mon, 20 Feb 2006 17:14:52 +0100
From: Marcus Meissner <meissner@...e.de>
To: gnupg-devel@...pg.org, bugtraq@...urityfocus.com
Subject: Not completely fixed? (was: False positive signature verification in GnuPG)
On Wed, Feb 15, 2006 at 08:49:25AM +0100, Werner Koch wrote:
> False positive signature verification in GnuPG
> ==============================================
>
> Summary
> =======
>
> The Gentoo project identified a security related bug in GnuPG. When
> using any current version of GnuPG for unattended signature
> verification (e.g. by scripts and mail programs), false positive
> signature verification of detached signatures may occur.
>
> This problem affects the tool *gpgv*, as well as using "gpg --verify"
> to imitate gpgv, if only the exit code of the process is used to
> decide whether a detached signature is valid. This is a plausible
> mode of operation for gpgv.
There is also another signature checking related bug, but not acknowledged
by Werner.
gpg -o xx xx.asc with the attached ASCII signature protected file does
not return an error on a crafted signature.
gpg version before 1.4 did fail on this, gpg 1.4 does not.
$ gpg -o xx xx.asc
gpg: malformed CRC
$ echo $?
2
$
1.4 does accept it:
$ gpg -o xx xx.asc
$ echo $?
0
$
While files with other content report:
$ gpg -o xx xx.any
gpg: no valid OpenPGP data found.
gpg: processing message failed: eof
$ echo $?
2
$
The SUSE Security Team still considers this a bug, even if upstream does not.
Ciao, Marcus
View attachment "xx.asc" of type "text/plain" (339 bytes)
Powered by blists - more mailing lists