1 files changed, 231 insertions, 0 deletions
diff --git a/doc/detached-sig-verification-bug.txt b/doc/detached-sig-verification-bug.txt
new file mode 100644
index 000000000..a938cd7ee
--- /dev/null
+++ b/doc/detached-sig-verification-bug.txt
@@ -0,0 +1,231 @@
+           False positive signature verification in GnuPG
+           ==============================================
+                       (released 2006-02-15)
+
+
+Summary
+=======
+
+The Gentoo project identified a security related bug in GnuPG.  When
+using any current version of GnuPG for unattended signature
+verification (e.g. by scripts and mail programs), false positive
+signature verification of detached signatures may occur.
+
+This problem affects the tool *gpgv*, as well as using "gpg --verify"
+to imitate gpgv, if only the exit code of the process is used to
+decide whether a detached signature is valid.  This is a plausible
+mode of operation for gpgv.
+
+If, as suggested, the --status-fd generated output is used to decide
+whether a signature is valid, no problem exists.  In particular
+applications making use of the GPGME library[2] are not affected.
+
+To solve this problem an update of the current stable version has been
+released (see below).
+
+Please do not send private mail in response to this message.  The
+mailing list gnupg-devel is the best place to discuss this problem
+(please subscribe first so you don't need moderator approval [1]).
+
+
+Impact:
+=======
+
+Signature verification of detached signatures does not work, thus
+modified versions of signature protected files may not be detected.
+
+All versions of gnupg prior to 1.4.2.1 are affected if they are used
+in certain unattended operation modes.
+
+There is no problem using GnuPG in an interactive way because GnuPG
+won't print any signature status at all; i.e. no "Good signature".
+
+Scripts and applications using gpg or gpgv with the --status-fd option
+and properly parsing this output are not affected.
+
+Applications using the GPGME library[2] are not affected.
+
+The GnuPG versions 1.9 are not affected unless the currently
+deprecated gpg part has been enabled.
+
+
+Solution:
+=========
+
+Update GnuPG as soon as possible to version 1.4.2.1.  There are no
+fixes for older versions available, although the fix described below
+may be adjusted for them.
+
+To update please follow the instructions found at
+http://www.gnupg.org/download/ or read on:
+
+GnuPG 1.4.2.1 may be downloaded from one of the GnuPG mirror sites or
+direct from ftp://ftp.gnupg.org/gcrypt/ .  The list of mirrors can be
+found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG is not
+available at ftp.gnu.org.
+
+On the mirrors you should find the following files in the *gnupg*
+directory:
+
+  gnupg-1.4.2.1.tar.bz2 (2.8M)
+  gnupg-1.4.2.1.tar.bz2.sig
+
+      GnuPG source compressed using BZIP2 and OpenPGP signature.
+
+  gnupg-1.4.2.1.tar.gz (4.0M)
+  gnupg-1.4.2.1.tar.gz.sig
+
+      GnuPG source compressed using GZIP and OpenPGP signature.
+
+  gnupg-1.4.2-1.4.2.1.diff.bz2 (39k)
+
+      A patch file to upgrade a 1.4.2 GnuPG source. 
+
+Select one of them. To shorten the download time, you probably want to
+get the BZIP2 compressed file.  Please try another mirror if
+exceptional your mirror is not yet up to date.
+
+In the *binary* directory, you should find these files:
+
+  gnupg-w32cli-1.4.2.1.exe (1.4M)
+  gnupg-w32cli-1.4.2.1.exe.sig
+
+      GnuPG compiled for Microsoft Windows and OpenPGP signature.
+      Note that this is a command line version and now comes with a
+      graphical installer tool.  The source files are the same as
+      given above.  Note, that a new version of the Gpg4Win
+      package[4], including an updated version of GnuPG will be
+      available later the day.
+
+
+In order to check that the version of GnuPG which you are going to
+install is an original and unmodified one, you can do it in one of
+the following ways:
+
+ * If you already have a trusted version of GnuPG installed, you
+   can simply check the supplied signature.  For example to check the
+   signature of the file gnupg-1.4.2.1.tar.bz2 you would use this command:
+
+     gpg --verify gnupg-1.4.2.1.tar.bz2.sig
+
+   This checks whether the signature file matches the source file.
+   You should see a message indicating that the signature is good and
+   made by that signing key.  Make sure that you have the right key,
+   either by checking the fingerprint of that key with other sources
+   or by checking that the key has been signed by a trustworthy other
+   key.  Note, that you can retrieve the signing key using "finger wk
+   'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the
+   keyservers.  From time to time I prolong the expiration date; thus
+   you might need a fresh copy of that key.
+
+   Never use a GnuPG version you just downloaded to check the
+   integrity of the source - use an existing GnuPG installation!
+   Watch out for a "Good signature" messages.
+
+ * If you are not able to use an old version of GnuPG, you have to
+   verify the SHA-1 checksum.  Assuming you downloaded the file
+   gnupg-1.4.2.1.tar.bz2, you would run the sha1sum command like this:
+
+     sha1sum gnupg-1.4.2.1.tar.bz2
+
+   and check that the output matches the first line from the
+   following list:
+
+1c0306ade25154743d6f6f9ac05bee74c55c6eda  gnupg-1.4.2.1.tar.bz2
+cefc74560f21bde74eed298d86460612cd7e12ee  gnupg-1.4.2.1.tar.gz
+98d597b1a9871b4aadc820d8641b36ce09125612  gnupg-1.4.2-1.4.2.1.diff.bz2
+a4db35a72d72df8e76751adc6f013b4c96112fd4  gnupg-w32cli-1.4.2.1.exe
+
+
+Background:
+===========
+
+If a file with arbitrary data, for example 64 times the character
+0xCA, is used as the detached signature, any data file will lead to
+gpg exiting with 0 (success).  There won't be any messages indicating
+that the signature is valid or false:
+
+  $ fortune >x.txt
+  $ perl -e 'print "\xca"x"64"' >x.txt.sig
+  $ gpgv x.txt.sig x.txt
+  $ echo $?
+  0
+
+Cleary this should not return success.
+
+The same problem appears when using "gpg --verify" in place of gpgv.
+However in this case any application should to do further checks to
+make sure that the key verifying the signature is actually the desired
+one, thus using "gpg --verify" without processing the --status-fd
+generated output is in general the wrong approach.
+
+The fixed version makes sure that gpgv and "gpg --verify" won't return
+success if no signature has been seen.  A minimal but sufficient fix
+against 1.4.2 and possible older versions is:
+
+====8<============
+--- g10/mainproc.c	(revision 4001)
++++ g10/mainproc.c	(working copy)
+@@ -77,6 +77,7 @@
+         int op;
+         int stop_now;
+     } pipemode;
++    int any_sig_seen;  /* Set to true if a signature packet has been seen. */
+ };
+ 
+ 
+@@ -217,6 +218,7 @@
+ {
+     KBNODE node;
+ 
++    c->any_sig_seen = 1;
+     if( pkt->pkttype == PKT_SIGNATURE && !c->list ) {
+ 	/* This is the first signature for the following datafile.
+ 	 * GPG does not write such packets; instead it always uses
+@@ -1137,6 +1139,18 @@
+     c->signed_data = signedfiles;
+     c->sigfilename = sigfilename;
+     rc = do_proc_packets( c, a );
++ 
++    /* If we have not encountered any signature we print an error
++       messages, send a NODATA status back and return an error code.
++       Using log_error is required because verify_files does not check
++       error codes for each file but we want to terminate the process
++       with an error. */ 
++    if (!rc && !c->any_sig_seen)
++      {
++ 	 write_status_text (STATUS_NODATA, "4");
++        log_error (_("no signature found\n"));
++        rc = -1;
++      }
+     m_free( c );
+     return rc;
+ }
+====>8============
+
+Note that the released version also includes a test case for this bug
+and prints an additional diagnostic.  With the patch above the output
+using the same test data as above should be:
+
+  $ gpgv x.txt.sig x.txt
+  gpgv: no signature found
+  gpgv: verify signatures failed: eof
+  $ echo $?
+  2
+
+
+
+Thanks
+======
+
+taviso from the Gentoo project found this vulnerability and informed
+me on Monday evening.  Unfortunately I had already switched off my
+monitor at that time.  The update has been released yesterday evening
+(CET).
+
+
+
+
+[1] http://lists.gnupg.org/mailman/listinfo/gnupg-devel
+[2] http://www.gnupg.org/related_software/gpgme
+[3] http://www.gpg4win.org