On Wed, Feb 15, 2006 at 08:49:25AM +0100, Werner Koch wrote: > False positive signature verification in GnuPG > ============================================== > > Summary > ======= > > The Gentoo project identified a security related bug in GnuPG. When > using any current version of GnuPG for unattended signature > verification (e.g. by scripts and mail programs), false positive > signature verification of detached signatures may occur. > > This problem affects the tool *gpgv*, as well as using "gpg --verify" > to imitate gpgv, if only the exit code of the process is used to > decide whether a detached signature is valid. This is a plausible > mode of operation for gpgv. There is also another signature checking related bug, but not acknowledged by Werner. gpg -o xx xx.asc with the attached ASCII signature protected file does not return an error on a crafted signature. gpg version before 1.4 did fail on this, gpg 1.4 does not. $ gpg -o xx xx.asc gpg: malformed CRC $ echo $? 2 $ 1.4 does accept it: $ gpg -o xx xx.asc $ echo $? 0 $ While files with other content report: $ gpg -o xx xx.any gpg: no valid OpenPGP data found. gpg: processing message failed: eof $ echo $? 2 $ The SUSE Security Team still considers this a bug, even if upstream does not. Ciao, Marcus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This message is a test -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) ysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrK ysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrK ysrKysrKysrKysrKysrKysrKyso= -----END PGP SIGNATURE-----
