[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
(fwd) Security Update: verification bug in gnupg
[All implementations of GnuPG are vulnerable to this bug. Please
upgrade whatever your operating system/distribution -- Raju]
This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------
Return-Path: <BUGTRAQ@xxxxxxxxxxxxxxxxx>
Approved-By: aleph1@xxxxxxxxxxxxxxxxx
Delivered-To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6us
Message-ID: <20001019111417.A25197@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-To: Caldera Support Info <sup-info@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
X-To: announce@xxxxxxxxxxxxxxxxxxxxxxxx, linux-security@xxxxxxxxxx,
linuxlist@xxxxxxxxxxxxxxxxxx
From: Caldera Support Info <sup-info@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject: Security Update: verification bug in gnupg
Date: Thu, 19 Oct 2000 11:14:17 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: verification bug in gnupg
Advisory number: CSSA-2000-038.0
Issue date: 2000 October, 18
Cross reference:
______________________________________________________________________________
1. Problem Description
There is a bug in the signature verification of GNUpg,
the GNU replacement for PGP.
Normally, signature verification with gnupg works as
expected; gnupg properly detects when digitally signed
data has been tampered with.
However, these checks do not work properly if there are
several sections with inline signatures within a single
file. In this case, GNUpg does not always detect when some
of the signed portions have been modified, and incorrectly
claims that all signatures are valid.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 not vulnerable
OpenLinux eServer 2.3 not vulnerable
and OpenLinux eBuilder
OpenLinux eDesktop 2.4 All packages previous to
gnupg-1.0.4-2
3. Solution
Workaround:
None
4. OpenLinux Desktop 2.3
not vulnerable
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
not vulnerable
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
3892693d729a46acc587dcece5a59f7c RPMS/gnupg-1.0.4-2.i386.rpm
407234b6c1381ed0e4e22ae99b88ba3f SRPMS/gnupg-1.0.4-2.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv gnupg-1.0.4-2.i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 7996.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.
9. Acknowledgements
Caldera Systems wishes to thank Werner Koch, the author of GNUpg,
for his work, and cooperation.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE57v3U18sy83A/qfwRAoQNAJ9FqaDcp6LBSrE/Gf4ptHZQLx776ACeIkXZ
nNgMWmAfY/3rbLWwRJPmjwo=
=qgtb
-----END PGP SIGNATURE-----
------------------------------
End of this Digest
******************