Security Information / 2000 / Security Information -- DSA-010-1 gnupg

Debian Security Advisory

DSA-010-1 gnupg -- cheating with detached signatures, circumvention of web of trust

Date Reported:

25 Dec 2000

Affected Packages:

gnupg

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

Two bugs in GnuPG have recently been found:

1. false positives when verifying detached signatures

   There is a problem in the way gpg checks detached signatures which can lead to false positives. Detached signature can be verified with a command like this: gpg --verify detached.sig < mydata

   If someone replaced detached.sig with a signed text (ie not a detached signature) and then modified mydata gpg would still report a successfully verified signature.

   To fix this, the way the --verify option works has been changed: It now needs two options when verifying detached signatures: Both the file with the detached signature, and the file with the data to be verified. Please note that this makes it incompatible with older versions!

2. secret keys are silently imported

   Florian Weimer discovered that gpg would import secret keys from key-servers. Since gpg considers public keys corresponding to known secret keys to be ultimately trusted an attacker can use this to circumvent the web of trust.

   To fix this a new option was added to tell gpg it is allowed to import secret keys: --allow-key-import.

Fixed in:

Debian 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.1.diff.gz

http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.1.dsc

http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4.orig.tar.gz

alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/gnupg_1.0.4-1.1_alpha.deb

arm:

http://security.debian.org/dists/stable/updates/main/binary-arm/gnupg_1.0.4-1.1_arm.deb

i386:

http://security.debian.org/dists/stable/updates/main/binary-i386/gnupg_1.0.4-1.1_i386.deb

m68k:

http://security.debian.org/dists/stable/updates/main/binary-m68k/gnupg_1.0.4-1.1_m68k.deb

powerpc:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/gnupg_1.0.4-1.1_powerpc.deb

sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/gnupg_1.0.4-1.1_sparc.deb