Date: Wed, 18 Oct 2000 10:17:21 +0200 (CEST) From: Dag-Erling Smorgrav <des@thinksec.com> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/22410: [PATCH] GnuPG doesn't verify all signatures Message-ID: <200010180817.e9I8HLY69624@des.thinksec.com>
next in thread | raw e-mail | index | archive | help
>Number: 22410 >Category: ports >Synopsis: [PATCH] GnuPG doesn't verify all signatures >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Oct 30 00:00:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Dag-Erling Smorgrav >Release: FreeBSD 5.0-CURRENT i386 >Organization: ThinkSec AS >Environment: ports-current >Description: From gnupg-announce@gnupg.org: A bug in GnuPG's signature verification function has recently been found: If you have more than one signature (either cleartext or binary ones) in a file (or pipe that to gpg), gpg does not compare each signature but flags each document as good or bad depending on the first document in the file. It is possible to use this bug to fake signatures (it most cases it needs some social engineering but it is not that complicated). IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH FIXES THE PROBLEM! >How-To-Repeat: porteasy -bu gnupg >Fix: Index: Makefile =================================================================== RCS file: /home/ncvs/ports/security/gnupg/Makefile,v retrieving revision 1.24 diff -u -r1.24 Makefile --- Makefile 2000/09/19 03:16:11 1.24 +++ Makefile 2000/10/18 07:50:33 @@ -6,7 +6,7 @@ # PORTNAME= gnupg -PORTVERSION= 1.0.3 +PORTVERSION= 1.0.4 CATEGORIES= security MASTER_SITES= ftp://ftp.gnupg.org/pub/gcrypt/gnupg/ \ ftp://pgp.iijlab.net/pub/gnupg/ \ Index: distinfo =================================================================== RCS file: /home/ncvs/ports/security/gnupg/distinfo,v retrieving revision 1.16 diff -u -r1.16 distinfo --- distinfo 2000/09/19 03:16:11 1.16 +++ distinfo 2000/10/18 08:00:20 @@ -1 +1 @@ -MD5 (gnupg-1.0.3.tar.gz) = ef42c679df7a555e23ebe3c8d14a9124 +MD5 (gnupg-1.0.4.tar.gz) = bef2267bfe9b74a00906a78db34437f9 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010180817.e9I8HLY69624>