From owner-cvs-ports@FreeBSD.ORG Wed Aug 3 12:07:16 2005 Return-Path: X-Original-To: cvs-ports@FreeBSD.org Delivered-To: cvs-ports@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D6F416A420; Wed, 3 Aug 2005 12:07:16 +0000 (GMT) (envelope-from nectar@FreeBSD.org) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4464C43D45; Wed, 3 Aug 2005 12:07:15 +0000 (GMT) (envelope-from nectar@FreeBSD.org) Received: from gw.celabo.org (localhost [127.0.0.1]) by internal.gw.celabo.org (Postfix) with ESMTP id 2C452DF2E82; Wed, 3 Aug 2005 07:07:14 -0500 (CDT) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 26A69DF2DA5; Wed, 3 Aug 2005 07:07:14 -0500 (CDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by lum.celabo.org (Postfix) with ESMTP id 8027E20A1D2; Wed, 3 Aug 2005 07:07:08 -0500 (CDT) In-Reply-To: <20050803115540.GF851@zaphod.nitro.dk> References: <200507311323.j6VDNoTB070910@repoman.freebsd.org> <0FD8500C-E0DE-4CB2-B7EF-DDCF5A7B754F@vidrine.us> <20050803115540.GF851@zaphod.nitro.dk> Mime-Version: 1.0 (Apple Message framework v733) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Jacques Vidrine Date: Wed, 3 Aug 2005 07:07:05 -0500 To: "Simon L. Nielsen" X-Mailer: Apple Mail (2.733) X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on hellblazer.celabo.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.3 Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2005 12:07:16 -0000 On Aug 3, 2005, at 6:55 AM, Simon L. Nielsen wrote: > On 2005.07.31 10:34:00 -0500, Jacques Vidrine wrote: >> On Jul 31, 2005, at 8:23 AM, Simon L. Nielsen wrote: >>> simon 2005-07-31 13:23:50 UTC >>> >>> FreeBSD ports repository >>> >>> Modified files: >>> security/vuxml vuln.xml >>> Log: >>> Document gnupg -- OpenPGP symmetric encryption vulnerability. >>> >>> Note: this is mainly a theoretical vulnerability. >>> >>> Revision Changes Path >>> 1.763 +38 -1 ports/security/vuxml/vuln.xml >>> >> >> Thanks, Simon. Here are a couple of other points that this entry >> should maybe reflect: >> >> = Other software implementing OpenPGP is likely affected, e.g. the >> Perl Crypt::OpenPGP module (ports/security/p5-Crypt-OpenPGP) >> > > Doh, I had for some reason not thought of that. It seems like there > is p5-Crypt-OpenPGP, security/pgpin, security/pgp, and security/pgp6 > which are not just frontends. > > From a quick check of the pgp 2.6.3 docs it seems to also support CFB > so I would think it is also vulnerable. Hmm. The flaw is in the /OpenPGP variant/ of CFB. So I am uncertain whether PGP 2 is affected... > All the projects seems to be rather dead (no activity for 3+ years)... > >> = GnuPG and others "resolved" this issue by disabling the "quick >> check" when using a session key derived from public key encryption. >> But the issue still exists when using symmetric encryption directly, >> e.g. with the `-c' or `--symmetric' flags to gpg. Of course in that >> case it is even less likely to affect a real world user. >> > > Should a comment about this be added to the VuXML entry? I think it > seems like a bit of overkill to mark the recent gnupg still vulnerable > due to the _very_ low likeliness that anyone is impacted. A note would be nice, but I agree that it is not helpful to mark recent gpg as vulnerable. Cheers, -- Jacques A. Vidrine / NTT/Verio jacques@vidrine.us / jvidrine@verio.net / nectar@freebsd.org