Debian Security Advisory
gnupg -- incorrect signature verification
- Date Reported:
- 11 Nov 2000
- Affected Packages:
- gnupg
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0974.
- More information:
-
The version of gnupg that was distributed in Debian GNU/Linux 2.2 had
a logic error in the code that checks for valid signatures which could
cause false positive results: Jim Small discovered that if the input
contained multiple signed sections the exit-code gnupg returned was
only valid for the last section, so improperly signed other sections
were not noticed.
This has been fixed in version 1.0.4-1 and we recommend that you upgrade your gnupg package to that version. Please note that this version of gnupg includes the RSA code directly instead of relying on the gpg-rsa package. This means that the
"load-extension rsa"command in~/.gnupg/optionsis no longer needed and must be removed: gnupg will not work correctly if it tries to load an extension that is not present. - Fixed in:
-
Debian GNU/Linux 2.2 (potato)
- Source:
- http://security.debian.org/dists/potato/updates/main/source/gnupg_1.0.4-1.diff.gz
- http://security.debian.org/dists/potato/updates/main/source/gnupg_1.0.4-1.dsc
- http://security.debian.org/dists/potato/updates/main/source/gnupg_1.0.4.orig.tar.gz
- http://security.debian.org/dists/potato/updates/main/source/gnupg_1.0.4-1.dsc
- Alpha:
- http://security.debian.org/dists/potato/updates/main/binary-alpha/gnupg_1.0.4-1_alpha.deb
- ARM:
- http://security.debian.org/dists/potato/updates/main/binary-arm/gnupg_1.0.4-1_arm.deb
- Intel IA-32:
- http://security.debian.org/dists/potato/updates/main/binary-i386/gnupg_1.0.4-1_i386.deb
- Motorola 680x0:
- http://security.debian.org/dists/potato/updates/main/binary-m68k/gnupg_1.0.4-1_m68k.deb
- PowerPC:
- http://security.debian.org/dists/potato/updates/main/binary-powerpc/gnupg_1.0.4-1_powerpc.deb
- Sun SPARC:
- http://security.debian.org/dists/potato/updates/main/binary-sparc/gnupg_1.0.4-1_sparc.deb