Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: announce
Security fix for GnuPG

Index | Next | Previous | View Flat

wk at gnupg

Nov 30, 2000, 2:32 PM

Views: 1178
Security fix for GnuPG


It has been pointed out that there is another bug in the signature
verification code of GnuPG.

* This can easily lead to false positives *

All versions of GnuPG released before today are vulnerable!

To check a detached singature you normally do this:

gpg --verify foo.sig foo.txt

The problem here is that someone may replace foo.sig with a standard
signature containing some arbitrary signed text and its signature,
and then modify foo.txt - GnuPG does not detect this - Ooops.

The solution for this problem ist not easy and needs a change in the
semantics of the --verify command: It will not any longer be
possible to do this:

gpg --verify foo.sig <foo.txt

Instead you have to use this

gpg --verify foo.sig - <foo.txt

The difference here is that gpg sees 2 files on the command lines
and thereby knows that it should check a detached signature. We
really need this information and there is no way to avoid that
change, sorry. You should make sure that you never use the first
form, because this will lead to false positives when foo.sig is not
a detached signature - gnupg does detect the other case and warns
you, but this is not sufficient. If you use GnuPG from other
applications, please change it.

What to do:

1. Apply the attached patch to GnuPG 1.0.4

2. Check all programs which are designed to verify detached
signatures, that they don't use the vulnerable way of passing
data to GnuPG.

Currently we are reviewing some other minor bug fixes and
it might take some time to release a fixed version.

I apologize for this bug and have to thank Rene Puls for finding it.


I'd really appreciate if some volunteers can write more regression
tests; especially those for bugs of this kind.
Attachments: apatch (2.80 KB)

Subject User Time
Security fix for GnuPG wk at gnupg Nov 30, 2000, 2:32 PM
    Security fix for GnuPG wk at gnupg Nov 30, 2000, 2:32 PM
    Security fix for GnuPG wk at gnupg Nov 30, 2000, 2:32 PM

  Index | Next | Previous | View Flat

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.