First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 170874
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Crypto team <crypto@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 170874 depends on: 177745 177747 198656 Show dependency tree
Bug 170874 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-03-14 13:51 0000 
GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line,
does not visually distinguish signed and unsigned portions of OpenPGP messages
with multiple components, which might allow remote attackers to forge the
contents of a message without detection.

------- Comment #1 From Raphael Marichez 2007-03-14 13:57:10 0000 ------- 
i don't consider this bug as a security issue, whereas Debian has marked it
"high" is sarge:
"gnupg (1.4.1-1.sarge7) stable-security; urgency=high"

------- Comment #2 From Raphael Marichez 2007-03-14 14:09:37 0000 ------- 
I arbitrarily myself take the selfish decision to reassign this to the
maintainer/herd

------- Comment #3 From Alon Bar-Lev (RETIRED) 2007-03-14 15:22:20 0000 ------- 
OK.
We have gnupg-1.4.7 and gpgme-1.1.4 in tree.
We will wait for a few weeks and request stable.

security: Please drop a not if you think it should be done quicker.

------- Comment #4 From Raphael Marichez 2007-03-15 21:11:42 0000 ------- 
(In reply to comment #3)
> 
> security: Please drop a not if you think it should be done quicker.
> 

Thanks Alon,

i don't think that merits a security timeframe escalation. With a
backport/patch i would have said "stabilize it", but here i agree with waiting
a few moments.

I'm closing the bug then. Feel free to reopen if you disagree.

------- Comment #5 From Carsten Lohrke 2007-05-08 20:37:48 0000 ------- 
I strongly disagree with Raphael that this sort of message manipulation is a
minor issue. Please prepare for stabilizing asap.

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-05-09 13:19:42 0000 ------- 
I tend to agree with Carlo on this one. Security any other opinions?

------- Comment #7 From Carsten Lohrke 2007-05-11 19:19:49 0000 ------- 
Hm, seeing that you stabilize 1.4.7-r1 I have to tell that this does not
suffice. according to thisĀ¹ source gnupg 2.0.3 has to go stable, too.


[1] http://www.heise-security.co.uk/news/86299

------- Comment #8 From Alon Bar-Lev (RETIRED) 2007-05-11 19:26:08 0000 ------- 
We cannot have gnupg-2.X stable until we resolve some issues.
bug#159851, where bug#159870 is the most critical.

------- Comment #9 From Alon Bar-Lev (RETIRED) 2007-06-22 16:56:56 0000 ------- 
All dependencies are waiting for stable, nothing I can do here...

------- Comment #10 From Jakub Moc (RETIRED) 2008-01-10 15:15:15 0000 ------- 
gnupg-2.0.7 stable everywhere but on mips (surprise :P) - Bug 202158 , ditto
for gpgme-1.1.5 - Bug 198656.

security doesn't want this bug, closing. Reopen if you disagree.
First Last Prev Next    No search results available      Search page      Enter new bug