Bug 19312 - GnuPG signature verification bug
GnuPG signature verification bug
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: gnupg (Show other bugs)
7.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-18 08:04 EDT by Daniel Roesen
Modified: 2007-03-26 23:36 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-18 11:58:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Roesen 2000-10-18 08:04:42 EDT
From: Werner Koch <wk@gnupg.org>
To: gnupg-announce@gnupg.org
Subject: [Announce] GnuPG security fix
Date: Tue, 17 Oct 2000 19:47:01 +0200

Hello!

A bug in GnuPG's signature verification function has recently been
found:

If you have more than one signature (either cleartext or binary
ones) in a file (or pipe that to gpg), gpg does not compare each
signature but flags each document as good or bad depending on the
first document in the file. It is possible to use this bug to fake
signatures (it most cases it needs some social engineering but it is
not that complicated).

     IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH
                       FIXES THE PROBLEM!

GnuPG version 1.0.4 is now available at the address below and should
show up on the mirrors within a day.

   ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz  (1685k)
   ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz.sig

A diff against 1.0.3 is also available:

 ftp://ftp.guug.de/pub/gcrypt/gnupg/gnupg-1.0.3-1.0.4.diff.gz  (116k)

MD5 checksums of the above files are:

   bef2267bfe9b74a00906a78db34437f9  gnupg-1.0.4.tar.gz
   c79711f3c6b79acb733f79fe0f36a8c2  gnupg-1.0.3-1.0.4.diff.gz
[...]
Comment 1 Daniel Roesen 2000-10-18 10:33:28 EDT
There is a little bug in 1.0.4. Werner Koch proposed the following patch:

--- g10/misc.c  2000/10/13 15:03:48     1.16.2.4
+++ g10/misc.c  2000/10/18 13:34:01
@@ -224,6 +224,9 @@
             || algo == CIPHER_ALGO_CAST5
             || algo == CIPHER_ALGO_BLOWFISH
             || algo == CIPHER_ALGO_TWOFISH
+            || algo == CIPHER_ALGO_RIJNDAEL
+            || algo == CIPHER_ALGO_RIJNDAEL192
+            || algo == CIPHER_ALGO_RIJNDAEL256
           )
        ;
     else {
Comment 2 Nalin Dahyabhai 2000-10-18 11:58:06 EDT
A fix (with this patch) is now in our pipeline.

Note You need to log in before you can comment on or make changes to this bug.