Red Hat Bugzilla – Bug 21498
Detached signature verification vulnerability
Last modified: 2007-03-26 23:37:55 EDT
From email@example.com mailing list:
----- CITE -----
From: Rene Puls <firstname.lastname@example.org>
Subject: Serious problem with detached sigs
Date: Wed, 29 Nov 2000 19:55:33 +0100
I think I found a serious problem with signature verification
under GnuPG. This may cause detached signatures to be reported as
"valid" while in fact they are not.
The problem is actually quite simple. When you type something
like "gnupg --verify detached_sig signed_file", you would expect GnuPG
to verify the detached signature against the signed file. If you now
replace the "detached_sig" file with a full, clear-signed message
(which is not related to the "signed_file" in any way), GnuPG still
reports a good signature - which is quite misleading.
This means that someone could, for example, modify the
gnupg-1.0.4.tar.gz file on the FTP server, replace the .sig file with
any message that is signed by Werner (no offense :) and nobody would
notice, because the --verify command will correctly verify the
detached signature (but as a full signed message, not as a detached
A fix for this should be quite simple, by making sure that the
detached_sig file given to the --verify command is *indeed* a detached
signature, at least if two files are given as arguments.
Rene Puls <email@example.com> GnuPG key 0x8652FFE2
----- CITE -----
I verified this to be a vulnerability in at least GnuPG 1.0.4.
Werner Koch posted a proposed patch on gnupg-devel for public testing.
If this patch works for you, I [typo corrected] will post the patch
on [gnupg-]announce later this day.
OK, final patch got posted by Werner. Attaching.
Created attachment 5908 [details]
Patch to fix the vulnerability
New devel snapshot including the fix released:
When can we expect a fixed Red Hat release?
Soon. We'd already extracted the relevant fix from CVS based on previous mail
to the gnupg list, but were waiting to see if an official release would be
available. Depending on timing, a 1.0.4 with the fixes may pop up in Raw Hide
if 1.0.4c isn't finished.
1.0.4c includes a large number of changes from 1.0.4. We'll go with a 1.0.4
with the two specific security patches applied.