Red Hat Bugzilla – Bug 19312
GnuPG signature verification bug
Last modified: 2007-03-26 23:36:45 EDT
From: Werner Koch <email@example.com>
Subject: [Announce] GnuPG security fix
Date: Tue, 17 Oct 2000 19:47:01 +0200
A bug in GnuPG's signature verification function has recently been
If you have more than one signature (either cleartext or binary
ones) in a file (or pipe that to gpg), gpg does not compare each
signature but flags each document as good or bad depending on the
first document in the file. It is possible to use this bug to fake
signatures (it most cases it needs some social engineering but it is
not that complicated).
IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH
FIXES THE PROBLEM!
GnuPG version 1.0.4 is now available at the address below and should
show up on the mirrors within a day.
A diff against 1.0.3 is also available:
MD5 checksums of the above files are:
There is a little bug in 1.0.4. Werner Koch proposed the following patch:
--- g10/misc.c 2000/10/13 15:03:48 184.108.40.206
+++ g10/misc.c 2000/10/18 13:34:01
@@ -224,6 +224,9 @@
|| algo == CIPHER_ALGO_CAST5
|| algo == CIPHER_ALGO_BLOWFISH
|| algo == CIPHER_ALGO_TWOFISH
+ || algo == CIPHER_ALGO_RIJNDAEL
+ || algo == CIPHER_ALGO_RIJNDAEL192
+ || algo == CIPHER_ALGO_RIJNDAEL256
A fix (with this patch) is now in our pipeline.