gnupg: False positive signature verification in GnuPG

Debian Bug report logs - #353017
gnupg: False positive signature verification in GnuPG

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Micah Anderson <micah@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnupg: False positive signature verification in GnuPG

Date: Wed, 15 Feb 2006 12:16:08 -0500

Package: gnupg
Version: 1.4.2-2
Severity: important
Tags: security

An exerpt from
http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html

When using any current version of GnuPG for unattended signature
verification (e.g. by scripts and mail programs), false positive
signature verification of detached signatures may occur.

This problem affects the tool *gpgv*, as well as using "gpg --verify"
to imitate gpgv, if only the exit code of the process is used to
decide whether a detached signature is valid.  This is a plausible
mode of operation for gpgv.

If, as suggested, the --status-fd generated output is used to decide
whether a signature is valid, no problem exists.  In particular
applications making use of the GPGME library[2] are not affected.

All versions of gnupg prior to 1.4.2.1 are affected if they are used
in certain unattended operation modes.

This issue has been assigned CVE ID: CVE-2006-0455, please use this
in any changelogs which address this issue.



-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages gnupg depends on:
ii  libbz2-1.0                    1.0.3-2    high-quality block-sorting file co
ii  libc6                         2.3.5-13   GNU C Library: Shared libraries an
ii  libldap2                      2.1.30-12  OpenLDAP libraries
ii  libreadline5                  5.1-6      GNU readline and history libraries
ii  libusb-0.1-4                  2:0.1.11-4 userspace USB programming library
ii  makedev                       2.3.1-80   creates device files in /dev
ii  zlib1g                        1:1.2.3-9  compression library - runtime

gnupg recommends no packages.

-- no debconf information

Message #12 received at 353017@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <kink@squirrelmail.org>

To: 353017@bugs.debian.org, Micah Anderson <micah@debian.org>

Cc: control@bugs.debian.org

Subject: Re: gnupg: False positive signature verification in GnuPG

Date: Fri, 07 Apr 2006 14:35:14 +0200

[Message part 1 (text/plain, inline)]

close 353017 1.4.2.2
close 353017 1.4.1-1sarge1

Hello,

> When using any current version of GnuPG for unattended signature
> verification (e.g. by scripts and mail programs), false positive
> signature verification of detached signatures may occur.

> This issue has been assigned CVE ID: CVE-2006-0455, please use this
> in any changelogs which address this issue.

This has been fixed in the above mentioned versions of gnupg, so I'm
marking the bug as closed since those versions. Thanks for reporting.


Thijs

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 353017@bugs.debian.org (full text, mbox, reply):

From: "Quanah DiLisi" <DiLisi@PEAKRESCUE.ORG>

To: <353017@bugs.debian.org>

Subject: invitaikn Text change tagged

Date: Fri, 20 Apr 2007 11:47:41 +0200

Where he did not wear metal, his clothes were dark leather.

AN ALLE FINANZINVESTOREN!
DIESE AKTIE WIRD DURCHSTARTEN!
FREITAG 20. APRIL STARTET DIE HAUSSE!
REALISIERTER KURSGEWINN VON 400%+ IN 5 TAGEN!

Symbol: G7Q.F
Company: COUNTY LINE ENERGY
5 Tages Kursziel: 0.95
Schlusskurs: 0.21
WKN:  A0J3B0
ISIN: US2224791077
Markt: Frankfurt

LASSEN SIE SICH DIESE CHANCE NICHT ENTGEHEN!
G7Q WIRD WIE EINE RAKETE DURCHSTARTEN!
UNSERE ERWARTUNGEN WIRD G7Q.F UBERTREFFEN!

A significant simplification of ALGOL 68.

Send a report that this bug log contains spam.