Debian Bug report logs -
#353017
gnupg: False positive signature verification in GnuPG
Reported by: Micah Anderson <micah@debian.org>
Date: Wed, 15 Feb 2006 17:19:36 UTC
Severity: normal
Tags: security
Found in version gnupg/1.4.2-2
Fixed in versions gnupg/1.4.2.2, gnupg/1.4.1-1sarge1, gnupg/1.4.2.2-1, gnupg/1.4.1-1sarge3
Done: Thijs Kinkhorst <kink@squirrelmail.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, James Troup <james@nocrew.org>
:
Bug#353017
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnupg
Version: 1.4.2-2
Severity: important
Tags: security
An exerpt from
http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html
When using any current version of GnuPG for unattended signature
verification (e.g. by scripts and mail programs), false positive
signature verification of detached signatures may occur.
This problem affects the tool *gpgv*, as well as using "gpg --verify"
to imitate gpgv, if only the exit code of the process is used to
decide whether a detached signature is valid. This is a plausible
mode of operation for gpgv.
If, as suggested, the --status-fd generated output is used to decide
whether a signature is valid, no problem exists. In particular
applications making use of the GPGME library[2] are not affected.
All versions of gnupg prior to 1.4.2.1 are affected if they are used
in certain unattended operation modes.
This issue has been assigned CVE ID: CVE-2006-0455, please use this
in any changelogs which address this issue.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages gnupg depends on:
ii libbz2-1.0 1.0.3-2 high-quality block-sorting file co
ii libc6 2.3.5-13 GNU C Library: Shared libraries an
ii libldap2 2.1.30-12 OpenLDAP libraries
ii libreadline5 5.1-6 GNU readline and history libraries
ii libusb-0.1-4 2:0.1.11-4 userspace USB programming library
ii makedev 2.3.1-80 creates device files in /dev
ii zlib1g 1:1.2.3-9 compression library - runtime
gnupg recommends no packages.
-- no debconf information
Severity set to `normal'.
Request was from Micah Anderson <micah@riseup.net>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#353017
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #12 received at 353017@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
close 353017 1.4.2.2
close 353017 1.4.1-1sarge1
Hello,
> When using any current version of GnuPG for unattended signature
> verification (e.g. by scripts and mail programs), false positive
> signature verification of detached signatures may occur.
> This issue has been assigned CVE ID: CVE-2006-0455, please use this
> in any changelogs which address this issue.
This has been fixed in the above mentioned versions of gnupg, so I'm
marking the bug as closed since those versions. Thanks for reporting.
Thijs
[signature.asc (application/pgp-signature, inline)]
Bug marked as fixed in version 1.4.2.2, send any further explanations to Micah Anderson <micah@debian.org>
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 1.4.1-1sarge1, send any further explanations to Micah Anderson <micah@debian.org>
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 1.4.2.2-1, send any further explanations to Micah Anderson <micah@debian.org>
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 1.4.1-1sarge3, send any further explanations to Micah Anderson <micah@debian.org>
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 1.4.2.2-1, send any further explanations to Micah Anderson <micah@debian.org>
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 1.4.1-1sarge1, send any further explanations to Micah Anderson <micah@debian.org>
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#353017
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to "Quanah DiLisi" <DiLisi@PEAKRESCUE.ORG>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #29 received at 353017@bugs.debian.org (full text, mbox, reply):
Where he did not wear metal, his clothes were dark leather.
AN ALLE FINANZINVESTOREN!
DIESE AKTIE WIRD DURCHSTARTEN!
FREITAG 20. APRIL STARTET DIE HAUSSE!
REALISIERTER KURSGEWINN VON 400%+ IN 5 TAGEN!
Symbol: G7Q.F
Company: COUNTY LINE ENERGY
5 Tages Kursziel: 0.95
Schlusskurs: 0.21
WKN: A0J3B0
ISIN: US2224791077
Markt: Frankfurt
LASSEN SIE SICH DIESE CHANCE NICHT ENTGEHEN!
G7Q WIRD WIE EINE RAKETE DURCHSTARTEN!
UNSERE ERWARTUNGEN WIRD G7Q.F UBERTREFFEN!
A significant simplification of ALGOL 68.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 18:12:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:05:34 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.