Bug 19312
| Summary: | GnuPG signature verification bug | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Daniel Roesen <dr> |
| Component: | gnupg | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED ERRATA | QA Contact: | Aaron Brown <abrown> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2000-10-18 15:58:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
There is a little bug in 1.0.4. Werner Koch proposed the following patch:
--- g10/misc.c 2000/10/13 15:03:48 1.16.2.4
+++ g10/misc.c 2000/10/18 13:34:01
@@ -224,6 +224,9 @@
|| algo == CIPHER_ALGO_CAST5
|| algo == CIPHER_ALGO_BLOWFISH
|| algo == CIPHER_ALGO_TWOFISH
+ || algo == CIPHER_ALGO_RIJNDAEL
+ || algo == CIPHER_ALGO_RIJNDAEL192
+ || algo == CIPHER_ALGO_RIJNDAEL256
)
;
else {
A fix (with this patch) is now in our pipeline. |
From: Werner Koch <wk> To: gnupg-announce Subject: [Announce] GnuPG security fix Date: Tue, 17 Oct 2000 19:47:01 +0200 Hello! A bug in GnuPG's signature verification function has recently been found: If you have more than one signature (either cleartext or binary ones) in a file (or pipe that to gpg), gpg does not compare each signature but flags each document as good or bad depending on the first document in the file. It is possible to use this bug to fake signatures (it most cases it needs some social engineering but it is not that complicated). IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH FIXES THE PROBLEM! GnuPG version 1.0.4 is now available at the address below and should show up on the mirrors within a day. ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz (1685k) ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz.sig A diff against 1.0.3 is also available: ftp://ftp.guug.de/pub/gcrypt/gnupg/gnupg-1.0.3-1.0.4.diff.gz (116k) MD5 checksums of the above files are: bef2267bfe9b74a00906a78db34437f9 gnupg-1.0.4.tar.gz c79711f3c6b79acb733f79fe0f36a8c2 gnupg-1.0.3-1.0.4.diff.gz [...]