Date: Wed, 3 Aug 2005 13:55:41 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Jacques Vidrine <jacques@vidrine.us> Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <20050803115540.GF851@zaphod.nitro.dk> In-Reply-To: <0FD8500C-E0DE-4CB2-B7EF-DDCF5A7B754F@vidrine.us> References: <200507311323.j6VDNoTB070910@repoman.freebsd.org> <0FD8500C-E0DE-4CB2-B7EF-DDCF5A7B754F@vidrine.us>
next in thread | previous in thread | raw e-mail | index | archive | help
--FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.07.31 10:34:00 -0500, Jacques Vidrine wrote: > > On Jul 31, 2005, at 8:23 AM, Simon L. Nielsen wrote: > > >simon 2005-07-31 13:23:50 UTC > > > > FreeBSD ports repository > > > > Modified files: > > security/vuxml vuln.xml > > Log: > > Document gnupg -- OpenPGP symmetric encryption vulnerability. > > > > Note: this is mainly a theoretical vulnerability. > > > > Revision Changes Path > > 1.763 +38 -1 ports/security/vuxml/vuln.xml > > Thanks, Simon. Here are a couple of other points that this entry > should maybe reflect: > > =3D Other software implementing OpenPGP is likely affected, e.g. the > Perl Crypt::OpenPGP module (ports/security/p5-Crypt-OpenPGP) Doh, I had for some reason not thought of that. It seems like there is p5-Crypt-OpenPGP, security/pgpin, security/pgp, and security/pgp6 which are not just frontends. =46rom a quick check of the pgp 2.6.3 docs it seems to also support CFB so I would think it is also vulnerable. All the projects seems to be rather dead (no activity for 3+ years)... > =3D GnuPG and others "resolved" this issue by disabling the "quick > check" when using a session key derived from public key encryption. > But the issue still exists when using symmetric encryption directly, > e.g. with the `-c' or `--symmetric' flags to gpg. Of course in that > case it is even less likely to affect a real world user. Should a comment about this be added to the VuXML entry? I think it seems like a bit of overkill to mark the recent gnupg still vulnerable due to the _very_ low likeliness that anyone is impacted. --=20 Simon L. Nielsen --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC8LC8h9pcDSc1mlERAuKdAJwKZ5ZA10UbB4PWezbkhog3YSK/KACgmYx5 ANG0M1KFQ08CiEfzZoe8ZM0= =z/tk -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050803115540.GF851>