Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 125217 - app-crypt/gnupg: ambiguous signatures may verify unsigned data
Summary: app-crypt/gnupg: ambiguous signatures may verify unsigned data
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2? [glsa]
: 125631 (view as bug list)
Depends on:
Reported: 2006-03-06 04:24 UTC by Tavis Ormandy (RETIRED)
Modified: 2019-12-22 11:57 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

patch from Werner Koch of GnuPG project (a.diff,4.60 KB, patch)
2006-03-06 04:24 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
Demo mbox (gpg-test-mbox,1.85 KB, text/plain)
2006-03-07 13:33 UTC, Tavis Ormandy (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2006-03-06 04:24:13 UTC
gnupg can be tricked into verifying unsigned data by constructing an openpgp message containing multiple literal data packets. as it is ambiguous as to which packet contains the signed data, gpg can be tricked into producing a "good signature" message for modified or unsigned data.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-06 04:24:50 UTC
Created attachment 81509 [details, diff]
patch from Werner Koch of GnuPG project
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-06 05:07:23 UTC
no announcement yet, but upstream has committed changes to cvs.

I suspect upstream will create a security release.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-03-07 10:25:23 UTC
Removing herd as they can't access the bug through the alias, adding recent bumpers.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-07 13:33:42 UTC
Created attachment 81641 [details]
Demo mbox

Attaching an example mbox file that should not verify, as the mesage has been modified (may depend on gpg options, this is not the only attack vector, but it's the simplest).
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-07 16:14:02 UTC
interim release is tentatively scheduled for release tomorrow by upstream.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-03-08 09:56:36 UTC
New version at :
Please bump. Vulnerability will be public in a few hours.
Comment 7 Marcelo Goes (RETIRED) gentoo-dev 2006-03-08 10:26:30 UTC
Bumped. Warning: I do not think this tarball has hit gnupg's mirrors yet.
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-09 11:54:33 UTC
Okay, public now, adding arches for stabilisation
Comment 9 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-09 11:55:34 UTC
*** Bug 125631 has been marked as a duplicate of this bug. ***
Comment 10 Matti Bickel (RETIRED) gentoo-dev 2006-03-09 13:10:52 UTC
Tested on ppc: installs and builds fine.
Handles the demo-mbox fine, shows:
gpg: can't handle this ambiguous signature data

(quick) Regression tests:
* Signatures on -dev verify fine
* Several files crypted and decrypted show no difference to original
== Regression Tests passed ==
Please mark ppc stable.
Comment 11 Patrick McLean gentoo-dev 2006-03-09 13:31:18 UTC
stable on amd64.
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-09 14:07:40 UTC
sparc stable.
Comment 13 Fernando J. Pereda (RETIRED) gentoo-dev 2006-03-09 14:25:08 UTC
Alpha done. No regressions and does the right thing on the test case.

However FEATURES="test" required FEATURES="-sandbox" to be used. It tried to write directly to /dev/stderr and sandbox didn't like that (no clue why).

Comment 14 Luca Barbato gentoo-dev 2006-03-09 15:26:00 UTC
ppc stable
Comment 15 Mark Loeser (RETIRED) gentoo-dev 2006-03-09 16:52:19 UTC
x86 done
Comment 16 Markus Ullmann (RETIRED) gentoo-dev 2006-03-10 03:32:20 UTC
arm done
Comment 17 René Nussbaumer (RETIRED) gentoo-dev 2006-03-10 10:26:53 UTC
Stable on hppa
Comment 18 Markus Rothe (RETIRED) gentoo-dev 2006-03-10 11:26:22 UTC
stable on ppc64
Comment 19 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-10 12:46:15 UTC
all security supported architectures stable, ready for glsa
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2006-03-10 13:57:17 UTC
GLSA 200603-08
Thx everyone.
mips ppc-macos and s390 should still mark stable
Comment 21 Fabian Groffen gentoo-dev 2006-05-23 09:16:47 UTC
we were not CC-ed, so, "sorry" about the delay.  ppc-macos stable