Bug 181822

Summary: CVE-2006-0455 gpg will quietly exit when attempting to verify a malformed message
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: gnupgAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 4Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=vendorsec,reported=20060213,public=20060215,impact=moderate
Fixed In Version: 1.4.2.1-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-03 04:38:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2006-02-16 21:23:17 UTC 
The Gentoo project identified a security related bug in GnuPG.  When
using any current version of GnuPG for unattended signature
verification (e.g. by scripts and mail programs), false positive
signature verification of detached signatures may occur.

This is primarily an issue since gpg return 0 on what should be a failure.  This
will break automated scripts.

http://marc.theaimsgroup.com/?l=gnupg-devel&m=113999098729114&w=2
Comment 1 Fedora Update System 2006-02-17 19:18:50 UTC 
From User-Agent: XML-RPC

gnupg-1.4.2.1-1 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.