Every version of GnuTLS found to vulnerable to certification bypass.
David Shaw
dshaw at jabberwocky.com
Wed Mar 5 07:21:07 CET 2014
On Mar 5, 2014, at 12:09 AM, NIIBE Yutaka <gniibe at fsij.org> wrote:
> I think that he just checked the dependencies.
>
> On my Debian box, it's:
>
> gnupg2 -> libcurl3-gnutls -> libgnutls26
>
> So, it's related somehow.
GnuPG can use libcurl to talk to keyservers. So if a particular libcurl is linked to gnutls it would be possible for there to be a keyserver rigged with a cert appearing to be a different keyserver. Of course, if such a server returned an incorrect key, that key wouldn't have the proper fingerprint or verify in the web of trust. Still, I could see if someone was doing the wrong thing and trusting a key merely because it came from a particular server they could get into trouble, but then they shouldn't have been doing that in the first place. Which is not to minimize what is clearly a very serious bug - just that it doesn't affect the security of GnuPG directly.
> But I don't think it make sense to call all those software victims.
Agreed.
David
More information about the Gnupg-devel
mailing list