gnupg: does not detect injection of unsigned data

Debian Bug report logs - #356125
gnupg: does not detect injection of unsigned data

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bart.martens@advalvas.be>

To: submit@bugs.debian.org

Subject: gnupg: does not detect injection of unsigned data

Date: Thu, 9 Mar 2006 21:49:06 +0100

Package: gnupg
Version: 1.4.2-2
Severity: important
Tags: security

Upgrading to the suggested version 1.4.2.2 would also fix bug #353019.

On Thu, Mar 09, 2006 at 07:53:40PM +0100, Werner Koch wrote:
>            GnuPG does not detect injection of unsigned data
>            ================================================
>                  (released 2006-03-09, CVE-2006-0049)
> 
> 
> Summary
> =======
> 
> In the aftermath of the false positive signature verfication bug
> (announced 2006-02-15) more thorough testing of the fix has been done
> and another vulnerability has been detected.
> 
> This new problem affects the use of *gpg* for verification of
> signatures which are _not_ detached signatures.  The problem also
> affects verification of signatures embedded in encrypted messages;
> i.e. standard use of gpg for mails.
> 
> To solve this problem, an update of the current stable version has
> been released (see below).
> 
> Please do not respond to this message.  The mailing list gnupg-devel
> is the best place to discuss this problem (please subscribe first so
> you don't need moderator approval [1]).
> 
> 
> Impact:
> =======
> 
> Signature verification of non-detached signatures may give a positive
> result but when extracting the signed data, this data may be prepended
> or appended with extra data not covered by the signature.  Thus it is
> possible for an attacker to take any signed message and inject extra
> arbitrary data.
> 
> Detached signatures (a separate signature file) are not affected.
> 
> All versions of gnupg prior to 1.4.2.2 are affected.
> 
> Scripts and applications using gpg to verify the integrity of data are
> affected. This includes applications using the GPGME library[2].
> 
> The GnuPG version 1.9.x is not affected unless the currently
> deprecated gpg part has been enabled.
> 
> 
> Solution:
> =========
> 
> Update GnuPG as soon as possible to version 1.4.2.2.  There are no
> fixes for older versions available.
> 
> If you can't get an update from your vendor, please follow the
> instructions found at http://www.gnupg.org/download/ or read on:
> 
> GnuPG 1.4.2.2 may be downloaded from one of the GnuPG mirror sites or
> direct from ftp://ftp.gnupg.org/gcrypt/ .  The list of mirrors can be
> found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG is not
> available at ftp.gnu.org.
> 
> On the mirrors you should find the following files in the *gnupg*
> directory:
> 
>   gnupg-1.4.2.2.tar.bz2 (2.8M)
>   gnupg-1.4.2.2.tar.bz2.sig
> 
>       GnuPG source compressed using BZIP2 and OpenPGP signature.
> 
>   gnupg-1.4.2.2.tar.gz (4.0M)
>   gnupg-1.4.2.2.tar.gz.sig
> 
>       GnuPG source compressed using GZIP and OpenPGP signature.
> 
>   gnupg-1.4.2.1-1.4.2.2.diff.bz2 (101k)
> 
>       A patch file to upgrade a 1.4.2.1 GnuPG source. 
> 
> Select one of them. To shorten the download time, you probably want to
> get the BZIP2 compressed file.  Please try another mirror if
> exceptional your mirror is not yet up to date.
> 
> In the *binary* directory, you should find these files:
> 
>   gnupg-w32cli-1.4.2.2.exe (1.4M)
>   gnupg-w32cli-1.4.2.2.exe.sig
> 
>       GnuPG compiled for Microsoft Windows and OpenPGP signature.
>       Note that this is a command line version and now comes with a
>       graphical installer tool.  The source files are the same as
>       given above.  Note, that a new version of the Gpg4Win
>       package[3], including a fixed version of GnuPG has also been
>       released today.
> 
> 
> In order to check that the version of GnuPG which you are going to
> install is an original and unmodified one, you can do it in one of
> the following ways:
> 
>  * If you already have a trusted version of GnuPG installed, you can
>    simply check the supplied signature.  Due to the fact that detached
>    signatures are used, the problem described here does not affect
>    this verification.  For example to check the signature of the file
>    gnupg-1.4.2.2.tar.bz2 you would use this command:
> 
>      gpg --verify gnupg-1.4.2.2.tar.bz2.sig
> 
>    This checks whether the signature file matches the source file.
>    You should see a message indicating that the signature is good and
>    made by that signing key.  Make sure that you have the right key,
>    either by checking the fingerprint of that key with other sources
>    or by checking that the key has been signed by a trustworthy other
>    key.  Note, that you can retrieve the signing key using "finger wk
>    'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the
>    keyservers.  From time to time I prolong the expiration date; thus
>    you might need a fresh copy of that key.
> 
>    Never use a GnuPG version you just downloaded to check the
>    integrity of the source - use an existing GnuPG installation!
>    Watch out for a "Good signature" messages.
> 
>  * If you are not able to use an old version of GnuPG, you have to
>    verify the SHA-1 checksum.  Assuming you downloaded the file
>    gnupg-1.4.2.1.tar.bz2, you would run the sha1sum command like this:
> 
>      sha1sum gnupg-1.4.2.2.tar.bz2
> 
>    and check that the output matches the first line from the
>    following list:
> 
> f5559ddb004e0638f6bd9efe2bac00134c5065ba  gnupg-1.4.2.2.tar.bz2
> 959540c1c6158e09d668ceee055bf366dc26d0bd  gnupg-1.4.2.2.tar.gz
> 880b3e937f232b1ca366bda37c4a959aacbd84f3  gnupg-1.4.2.1-1.4.2.2.diff.bz2
> 95dd7fd4c49423b86704acfc396ce5a53c8b19e7  gnupg-w32cli-1.4.2.2.exe
> 
> 
> 
> Background:
> ===========
> 
> OpenPGP messages are made up of packets.  The signed data is a packet,
> the actual signature is a packet and there are several control packets
> as well.  For example:
> 
>    O + D + S 
> 
> This describes a standard signed message made made up of a control
> packet (O for one-pass signature packet), the actual signed data (D)
> and the actual signature packet (S).  gpg checks that the signature S
> is valid over the data D.  This is actually easy if not OpenPGP and
> GnuPG would have a long tradition of changing the fromats.  PGP 2
> versions used a different way of composing these packets:
> 
>    S + D
> 
> and early versions of gpg, released before RFC2440, even created
> 
>    D + S
> 
> i.e. without the one-pass packet.  Still this would all be easy to
> process properly but in an ill-advised attempt to make things easier,
> gpg allowed the processing of multiple signatures per file, like
> 
>    O1 + D1 + S1 + O2 + D2 + S2
> 
> where two standard signatures are concatenated.  Now when combining
> this with the other variants of signatures, things get really messy
> and it is not always possible to assocciate the signature (S) with the
> signed data (D).  gpg checked that this all works but unfortunately
> these checks are not sufficient enough.  The attack is to change a
> standard message to inject faked data (F).  A simple case is this:
> 
>    F + O + D + S 
> 
> gpg now happily skips F for verification and does a proper signature
> verification of D and if this succeeds, prints a positive result.
> However when asked to output the actual signed data it will output the
> concatenation of F + D and thus create the impression that both are
> covered by the signature.  Depending on how gpg is invoked (in a
> pipeline or using --output) it may even output just F and not at all
> D.  There are several variants of the attack in where to put the faked
> data.
> 
> The only correct solution to this problem is to get rid of the feature
> to check concatenated signatures - this allows for strict checking of
> valid packet composition.  This is what has been done in 1.4.2.2 and
> in the forthcoming 1.4.3rc2.  These versions accept signatures only if
> they are composed of
> 
>   O + D + S
>   S + D
>   
> Cleartext signatures are of course also supported, they are similiar
> to the O+D+S case.
> 
> The actual checking for valid signature packet composition is done at
> g10/mainproc.c, at the top of check_sig_and_print().
> 
> 
> Thanks
> ======
> 
> Tavis Ormandy again poked on gpg and found this vulnerability. 
> 
> The new version has been released yesterday and should by now be
> available on all mirrors.
> 
> 
> 
> 
> [1] http://lists.gnupg.org/mailman/listinfo/gnupg-devel
> [2] http://www.gnupg.org/related_software/gpgme
> [3] http://www.gpg4win.org
> 
> 
> -- 
> Werner Koch                                      <wk@gnupg.org>
> The GnuPG Experts                                http://g10code.com
> Free Software Foundation Europe                  http://fsfeurope.org
> Join the Fellowship and protect your Freedom!    http://www.fsfe.org

Message #10 received at 356125@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <kink@squirrelmail.org>

To: 356125@bugs.debian.org, Bart Martens <bart.martens@advalvas.be>

Cc: control@bugs.debian.org

Subject: Re: gnupg: does not detect injection of unsigned data

Date: Fri, 07 Apr 2006 14:51:49 +0200

[Message part 1 (text/plain, inline)]

close 353017 1.4.2.2-1
close 353017 1.4.1-1sarge3

Hello,

> On Thu, Mar 09, 2006 at 07:53:40PM +0100, Werner Koch wrote:
> >            GnuPG does not detect injection of unsigned data
> >            ================================================
> >                  (released 2006-03-09, CVE-2006-0049)

This has been fixed in the above mentioned versions of gnupg, so I'm
marking the bug as closed since those versions. Thanks for reporting.


Thijs

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.