Date: Mon, 20 Feb 2006 17:14:52 +0100
From: Marcus Meissner <meissner@suse.de.>
To: gnupg-devel@gnupg.org, bugtraq@securityfocus.com
Subject: Not completely fixed? (was: False positive signature verification in GnuPG)
Message-ID: <20060220161452.GB28569@suse.de.>
References: <87u0b1xdru.fsf@wheatstone.g10code.de.>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="NzB8fVQJ5HfG6fxh"
Content-Disposition: inline
In-Reply-To: <87u0b1xdru.fsf@wheatstone.g10code.de.>
User-Agent: Mutt/1.5.6i
X-Virus-Scanned: antivirus-gw at tyumen.ru
--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Wed, Feb 15, 2006 at 08:49:25AM +0100, Werner Koch wrote:
> False positive signature verification in GnuPG
> ==============================================
>
> Summary
> =======
>
> The Gentoo project identified a security related bug in GnuPG. When
> using any current version of GnuPG for unattended signature
> verification (e.g. by scripts and mail programs), false positive
> signature verification of detached signatures may occur.
>
> This problem affects the tool *gpgv*, as well as using "gpg --verify"
> to imitate gpgv, if only the exit code of the process is used to
> decide whether a detached signature is valid. This is a plausible
> mode of operation for gpgv.
There is also another signature checking related bug, but not acknowledged
by Werner.
gpg -o xx xx.asc with the attached ASCII signature protected file does
not return an error on a crafted signature.
gpg version before 1.4 did fail on this, gpg 1.4 does not.
$ gpg -o xx xx.asc
gpg: malformed CRC
$ echo $?
2
$
1.4 does accept it:
$ gpg -o xx xx.asc
$ echo $?
0
$
While files with other content report:
$ gpg -o xx xx.any
gpg: no valid OpenPGP data found.
gpg: processing message failed: eof
$ echo $?
2
$
The SUSE Security Team still considers this a bug, even if upstream does not.
Ciao, Marcus
--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="xx.asc"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This message is a test
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
ysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrK
ysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrK
ysrKysrKysrKysrKysrKysrKyso=
-----END PGP SIGNATURE-----
--NzB8fVQJ5HfG6fxh--
