Bugtraq mailing list archives
Not completely fixed? (was: False positive signature verification in GnuPG)
From: Marcus Meissner <meissner () suse de>
Date: Mon, 20 Feb 2006 17:14:52 +0100
On Wed, Feb 15, 2006 at 08:49:25AM +0100, Werner Koch wrote:
False positive signature verification in GnuPG ============================================== Summary ======= The Gentoo project identified a security related bug in GnuPG. When using any current version of GnuPG for unattended signature verification (e.g. by scripts and mail programs), false positive signature verification of detached signatures may occur. This problem affects the tool *gpgv*, as well as using "gpg --verify" to imitate gpgv, if only the exit code of the process is used to decide whether a detached signature is valid. This is a plausible mode of operation for gpgv.
There is also another signature checking related bug, but not acknowledged by Werner. gpg -o xx xx.asc with the attached ASCII signature protected file does not return an error on a crafted signature. gpg version before 1.4 did fail on this, gpg 1.4 does not. $ gpg -o xx xx.asc gpg: malformed CRC $ echo $? 2 $ 1.4 does accept it: $ gpg -o xx xx.asc $ echo $? 0 $ While files with other content report: $ gpg -o xx xx.any gpg: no valid OpenPGP data found. gpg: processing message failed: eof $ echo $? 2 $ The SUSE Security Team still considers this a bug, even if upstream does not. Ciao, Marcus
Attachment:
xx.asc
Description:
Current thread:
- False positive signature verification in GnuPG Werner Koch (Feb 17)
- Not completely fixed? (was: False positive signature verification in GnuPG) Marcus Meissner (Feb 21)
- Re: Not completely fixed? Werner Koch (Feb 21)
- Not completely fixed? (was: False positive signature verification in GnuPG) Marcus Meissner (Feb 21)