Not completely fixed? (was: False positive signature verification in GnuPG)

Marcus Meissner meissner at suse.de
Mon Feb 20 17:14:52 CET 2006


On Wed, Feb 15, 2006 at 08:49:25AM +0100, Werner Koch wrote:
>            False positive signature verification in GnuPG
>            ==============================================
> 
> Summary
> =======
> 
> The Gentoo project identified a security related bug in GnuPG.  When
> using any current version of GnuPG for unattended signature
> verification (e.g. by scripts and mail programs), false positive
> signature verification of detached signatures may occur.
> 
> This problem affects the tool *gpgv*, as well as using "gpg --verify"
> to imitate gpgv, if only the exit code of the process is used to
> decide whether a detached signature is valid.  This is a plausible
> mode of operation for gpgv.

There is also another signature checking related bug, but not acknowledged
by Werner.

gpg -o xx xx.asc with the attached ASCII signature protected file does
not return an error on a crafted signature.

gpg version before 1.4 did fail on this, gpg 1.4 does not.

$ gpg -o xx xx.asc
gpg: malformed CRC
$ echo $?
2
$

1.4 does accept it:
$ gpg -o xx xx.asc
$ echo $?
0
$

While files with other content report:
$ gpg -o xx xx.any
gpg: no valid OpenPGP data found.
gpg: processing message failed: eof
$ echo $?
2
$

The SUSE Security Team still considers this a bug, even if upstream does not.

Ciao, Marcus
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This message is a test
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

ysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrK
ysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrK
ysrKysrKysrKysrKysrKysrKyso=
-----END PGP SIGNATURE-----


More information about the Gnupg-devel mailing list