Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Oct 2000 10:17:21 +0200 (CEST)
From:      Dag-Erling Smorgrav <des@thinksec.com>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/22410: [PATCH] GnuPG doesn't verify all signatures
Message-ID:  <200010180817.e9I8HLY69624@des.thinksec.com>
next in thread | raw e-mail | index | archive | help 

>Number:         22410
>Category:       ports
>Synopsis:       [PATCH] GnuPG doesn't verify all signatures
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 30 00:00:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Dag-Erling Smorgrav
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
ThinkSec AS
>Environment:

ports-current

>Description:

From gnupg-announce@gnupg.org:

A bug in GnuPG's signature verification function has recently been
found: 

If you have more than one signature (either cleartext or binary
ones) in a file (or pipe that to gpg), gpg does not compare each
signature but flags each document as good or bad depending on the
first document in the file. It is possible to use this bug to fake
signatures (it most cases it needs some social engineering but it is
not that complicated).

     IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH
                       FIXES THE PROBLEM!

>How-To-Repeat:

porteasy -bu gnupg

>Fix:

Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/gnupg/Makefile,v
retrieving revision 1.24
diff -u -r1.24 Makefile
--- Makefile	2000/09/19 03:16:11	1.24
+++ Makefile	2000/10/18 07:50:33
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	gnupg
-PORTVERSION=	1.0.3
+PORTVERSION=	1.0.4
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.gnupg.org/pub/gcrypt/gnupg/ \
 		ftp://pgp.iijlab.net/pub/gnupg/ \
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/security/gnupg/distinfo,v
retrieving revision 1.16
diff -u -r1.16 distinfo
--- distinfo	2000/09/19 03:16:11	1.16
+++ distinfo	2000/10/18 08:00:20
@@ -1 +1 @@
-MD5 (gnupg-1.0.3.tar.gz) = ef42c679df7a555e23ebe3c8d14a9124
+MD5 (gnupg-1.0.4.tar.gz) = bef2267bfe9b74a00906a78db34437f9

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010180817.e9I8HLY69624>