+++ This bug was initially created as a clone of Bug #184556 +++ Gnupg incorrect malformed message verification Tavis Ormandy discovered that it is still possible to trick gnupg into incorrectly verifying a signed message. The patch is here: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.2.1-1.4.2.2.diff.bz2 This issue also affects RHEL3 This issue also affects RHEL2.1 -- Additional comment from bressers on 2006-03-13 09:56 EST -- Created an attachment (id=126039) Demo reproducer This reproducer was given to us by Gentoo. In order to reproduce this issue on RHEL, the --ignore-crc-error option must be given to gpg. This also mitigates the usefullness of this issue on RHEL.