Debian Bug report logs -
#356125
gnupg: does not detect injection of unsigned data
Reported by: Bart Martens <bart.martens@advalvas.be>
Date: Thu, 9 Mar 2006 21:04:32 UTC
Severity: important
Tags: security
Found in version gnupg/1.4.2-2
Fixed in versions gnupg/1.4.2.2-1, gnupg/1.4.1-1sarge3
Done: Thijs Kinkhorst <kink@squirrelmail.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#356125
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to Bart Martens <bart.martens@advalvas.be>
:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnupg
Version: 1.4.2-2
Severity: important
Tags: security
Upgrading to the suggested version 1.4.2.2 would also fix bug #353019.
On Thu, Mar 09, 2006 at 07:53:40PM +0100, Werner Koch wrote:
> GnuPG does not detect injection of unsigned data
> ================================================
> (released 2006-03-09, CVE-2006-0049)
>
>
> Summary
> =======
>
> In the aftermath of the false positive signature verfication bug
> (announced 2006-02-15) more thorough testing of the fix has been done
> and another vulnerability has been detected.
>
> This new problem affects the use of *gpg* for verification of
> signatures which are _not_ detached signatures. The problem also
> affects verification of signatures embedded in encrypted messages;
> i.e. standard use of gpg for mails.
>
> To solve this problem, an update of the current stable version has
> been released (see below).
>
> Please do not respond to this message. The mailing list gnupg-devel
> is the best place to discuss this problem (please subscribe first so
> you don't need moderator approval [1]).
>
>
> Impact:
> =======
>
> Signature verification of non-detached signatures may give a positive
> result but when extracting the signed data, this data may be prepended
> or appended with extra data not covered by the signature. Thus it is
> possible for an attacker to take any signed message and inject extra
> arbitrary data.
>
> Detached signatures (a separate signature file) are not affected.
>
> All versions of gnupg prior to 1.4.2.2 are affected.
>
> Scripts and applications using gpg to verify the integrity of data are
> affected. This includes applications using the GPGME library[2].
>
> The GnuPG version 1.9.x is not affected unless the currently
> deprecated gpg part has been enabled.
>
>
> Solution:
> =========
>
> Update GnuPG as soon as possible to version 1.4.2.2. There are no
> fixes for older versions available.
>
> If you can't get an update from your vendor, please follow the
> instructions found at http://www.gnupg.org/download/ or read on:
>
> GnuPG 1.4.2.2 may be downloaded from one of the GnuPG mirror sites or
> direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be
> found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not
> available at ftp.gnu.org.
>
> On the mirrors you should find the following files in the *gnupg*
> directory:
>
> gnupg-1.4.2.2.tar.bz2 (2.8M)
> gnupg-1.4.2.2.tar.bz2.sig
>
> GnuPG source compressed using BZIP2 and OpenPGP signature.
>
> gnupg-1.4.2.2.tar.gz (4.0M)
> gnupg-1.4.2.2.tar.gz.sig
>
> GnuPG source compressed using GZIP and OpenPGP signature.
>
> gnupg-1.4.2.1-1.4.2.2.diff.bz2 (101k)
>
> A patch file to upgrade a 1.4.2.1 GnuPG source.
>
> Select one of them. To shorten the download time, you probably want to
> get the BZIP2 compressed file. Please try another mirror if
> exceptional your mirror is not yet up to date.
>
> In the *binary* directory, you should find these files:
>
> gnupg-w32cli-1.4.2.2.exe (1.4M)
> gnupg-w32cli-1.4.2.2.exe.sig
>
> GnuPG compiled for Microsoft Windows and OpenPGP signature.
> Note that this is a command line version and now comes with a
> graphical installer tool. The source files are the same as
> given above. Note, that a new version of the Gpg4Win
> package[3], including a fixed version of GnuPG has also been
> released today.
>
>
> In order to check that the version of GnuPG which you are going to
> install is an original and unmodified one, you can do it in one of
> the following ways:
>
> * If you already have a trusted version of GnuPG installed, you can
> simply check the supplied signature. Due to the fact that detached
> signatures are used, the problem described here does not affect
> this verification. For example to check the signature of the file
> gnupg-1.4.2.2.tar.bz2 you would use this command:
>
> gpg --verify gnupg-1.4.2.2.tar.bz2.sig
>
> This checks whether the signature file matches the source file.
> You should see a message indicating that the signature is good and
> made by that signing key. Make sure that you have the right key,
> either by checking the fingerprint of that key with other sources
> or by checking that the key has been signed by a trustworthy other
> key. Note, that you can retrieve the signing key using "finger wk
> 'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the
> keyservers. From time to time I prolong the expiration date; thus
> you might need a fresh copy of that key.
>
> Never use a GnuPG version you just downloaded to check the
> integrity of the source - use an existing GnuPG installation!
> Watch out for a "Good signature" messages.
>
> * If you are not able to use an old version of GnuPG, you have to
> verify the SHA-1 checksum. Assuming you downloaded the file
> gnupg-1.4.2.1.tar.bz2, you would run the sha1sum command like this:
>
> sha1sum gnupg-1.4.2.2.tar.bz2
>
> and check that the output matches the first line from the
> following list:
>
> f5559ddb004e0638f6bd9efe2bac00134c5065ba gnupg-1.4.2.2.tar.bz2
> 959540c1c6158e09d668ceee055bf366dc26d0bd gnupg-1.4.2.2.tar.gz
> 880b3e937f232b1ca366bda37c4a959aacbd84f3 gnupg-1.4.2.1-1.4.2.2.diff.bz2
> 95dd7fd4c49423b86704acfc396ce5a53c8b19e7 gnupg-w32cli-1.4.2.2.exe
>
>
>
> Background:
> ===========
>
> OpenPGP messages are made up of packets. The signed data is a packet,
> the actual signature is a packet and there are several control packets
> as well. For example:
>
> O + D + S
>
> This describes a standard signed message made made up of a control
> packet (O for one-pass signature packet), the actual signed data (D)
> and the actual signature packet (S). gpg checks that the signature S
> is valid over the data D. This is actually easy if not OpenPGP and
> GnuPG would have a long tradition of changing the fromats. PGP 2
> versions used a different way of composing these packets:
>
> S + D
>
> and early versions of gpg, released before RFC2440, even created
>
> D + S
>
> i.e. without the one-pass packet. Still this would all be easy to
> process properly but in an ill-advised attempt to make things easier,
> gpg allowed the processing of multiple signatures per file, like
>
> O1 + D1 + S1 + O2 + D2 + S2
>
> where two standard signatures are concatenated. Now when combining
> this with the other variants of signatures, things get really messy
> and it is not always possible to assocciate the signature (S) with the
> signed data (D). gpg checked that this all works but unfortunately
> these checks are not sufficient enough. The attack is to change a
> standard message to inject faked data (F). A simple case is this:
>
> F + O + D + S
>
> gpg now happily skips F for verification and does a proper signature
> verification of D and if this succeeds, prints a positive result.
> However when asked to output the actual signed data it will output the
> concatenation of F + D and thus create the impression that both are
> covered by the signature. Depending on how gpg is invoked (in a
> pipeline or using --output) it may even output just F and not at all
> D. There are several variants of the attack in where to put the faked
> data.
>
> The only correct solution to this problem is to get rid of the feature
> to check concatenated signatures - this allows for strict checking of
> valid packet composition. This is what has been done in 1.4.2.2 and
> in the forthcoming 1.4.3rc2. These versions accept signatures only if
> they are composed of
>
> O + D + S
> S + D
>
> Cleartext signatures are of course also supported, they are similiar
> to the O+D+S case.
>
> The actual checking for valid signature packet composition is done at
> g10/mainproc.c, at the top of check_sig_and_print().
>
>
> Thanks
> ======
>
> Tavis Ormandy again poked on gpg and found this vulnerability.
>
> The new version has been released yesterday and should by now be
> available on all mirrors.
>
>
>
>
> [1] http://lists.gnupg.org/mailman/listinfo/gnupg-devel
> [2] http://www.gnupg.org/related_software/gpgme
> [3] http://www.gpg4win.org
>
>
> --
> Werner Koch <wk@gnupg.org>
> The GnuPG Experts http://g10code.com
> Free Software Foundation Europe http://fsfeurope.org
> Join the Fellowship and protect your Freedom! http://www.fsfe.org
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#356125
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #10 received at 356125@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
close 353017 1.4.2.2-1
close 353017 1.4.1-1sarge3
Hello,
> On Thu, Mar 09, 2006 at 07:53:40PM +0100, Werner Koch wrote:
> > GnuPG does not detect injection of unsigned data
> > ================================================
> > (released 2006-03-09, CVE-2006-0049)
This has been fixed in the above mentioned versions of gnupg, so I'm
marking the bug as closed since those versions. Thanks for reporting.
Thijs
[signature.asc (application/pgp-signature, inline)]
Bug marked as fixed in version 1.4.2.2-1, send any further explanations to Bart Martens <bart.martens@advalvas.be>
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 1.4.1-1sarge3, send any further explanations to Bart Martens <bart.martens@advalvas.be>
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 23:15:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:18:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.