diff options
Diffstat (limited to '')
| -rw-r--r-- | doc/embedded-sig-verification-bug.txt | 211 |
1 files changed, 0 insertions, 211 deletions
diff --git a/doc/embedded-sig-verification-bug.txt b/doc/embedded-sig-verification-bug.txt deleted file mode 100644 index 2a2595497..000000000 --- a/doc/embedded-sig-verification-bug.txt +++ /dev/null @@ -1,211 +0,0 @@ - GnuPG does not detect injection of unsigned data - ================================================ - (released 2006-03-09, CVE-2006-0049) - - -Summary -======= - -In the aftermath of the false positive signature verfication bug -(announced 2006-02-15) more thorough testing of the fix has been done -and another vulnerability has been detected. - -This new problem affects the use of *gpg* for verification of -signatures which are _not_ detached signatures. The problem also -affects verification of signatures embedded in encrypted messages; -i.e. standard use of gpg for mails. - -To solve this problem, an update of the current stable version has -been released (see below). - -Please do not respond to this message. The mailing list gnupg-devel -is the best place to discuss this problem (please subscribe first so -you don't need moderator approval [1]). - - -Impact: -======= - -Signature verification of non-detached signatures may give a positive -result but when extracting the signed data, this data may be prepended -or appended with extra data not covered by the signature. Thus it is -possible for an attacker to take any signed message and inject extra -arbitrary data. - -Detached signatures (a separate signature file) are not affected. - -All versions of gnupg prior to 1.4.2.2 are affected. - -Scripts and applications using gpg to verify the integrity of data are -affected. This includes applications using the GPGME library[2]. - -The GnuPG version 1.9.x is not affected unless the currently -deprecated gpg part has been enabled. - - -Solution: -========= - -Update GnuPG as soon as possible to version 1.4.2.2. There are no -fixes for older versions available. - -If you can't get an update from your vendor, please follow the -instructions found at http://www.gnupg.org/download/ or read on: - -GnuPG 1.4.2.2 may be downloaded from one of the GnuPG mirror sites or -direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be -found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not -available at ftp.gnu.org. - -On the mirrors you should find the following files in the *gnupg* -directory: - - gnupg-1.4.2.2.tar.bz2 (2.8M) - gnupg-1.4.2.2.tar.bz2.sig - - GnuPG source compressed using BZIP2 and OpenPGP signature. - - gnupg-1.4.2.2.tar.gz (4.0M) - gnupg-1.4.2.2.tar.gz.sig - - GnuPG source compressed using GZIP and OpenPGP signature. - - gnupg-1.4.2.1-1.4.2.2.diff.bz2 (101k) - - A patch file to upgrade a 1.4.2.1 GnuPG source. - -Select one of them. To shorten the download time, you probably want to -get the BZIP2 compressed file. Please try another mirror if -exceptional your mirror is not yet up to date. - -In the *binary* directory, you should find these files: - - gnupg-w32cli-1.4.2.2.exe (1.4M) - gnupg-w32cli-1.4.2.2.exe.sig - - GnuPG compiled for Microsoft Windows and OpenPGP signature. - Note that this is a command line version and now comes with a - graphical installer tool. The source files are the same as - given above. Note, that a new version of the Gpg4Win - package[3], including a fixed version of GnuPG has also been - released today. - - -In order to check that the version of GnuPG which you are going to -install is an original and unmodified one, you can do it in one of -the following ways: - - * If you already have a trusted version of GnuPG installed, you can - simply check the supplied signature. Due to the fact that detached - signatures are used, the problem described here does not affect - this verification. For example to check the signature of the file - gnupg-1.4.2.2.tar.bz2 you would use this command: - - gpg --verify gnupg-1.4.2.2.tar.bz2.sig - - This checks whether the signature file matches the source file. - You should see a message indicating that the signature is good and - made by that signing key. Make sure that you have the right key, - either by checking the fingerprint of that key with other sources - or by checking that the key has been signed by a trustworthy other - key. Note, that you can retrieve the signing key using "finger wk - 'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the - keyservers. From time to time I prolong the expiration date; thus - you might need a fresh copy of that key. - - Never use a GnuPG version you just downloaded to check the - integrity of the source - use an existing GnuPG installation! - Watch out for a "Good signature" messages. - - * If you are not able to use an old version of GnuPG, you have to - verify the SHA-1 checksum. Assuming you downloaded the file - gnupg-1.4.2.1.tar.bz2, you would run the sha1sum command like this: - - sha1sum gnupg-1.4.2.2.tar.bz2 - - and check that the output matches the first line from the - following list: - -f5559ddb004e0638f6bd9efe2bac00134c5065ba gnupg-1.4.2.2.tar.bz2 -959540c1c6158e09d668ceee055bf366dc26d0bd gnupg-1.4.2.2.tar.gz -880b3e937f232b1ca366bda37c4a959aacbd84f3 gnupg-1.4.2.1-1.4.2.2.diff.bz2 -95dd7fd4c49423b86704acfc396ce5a53c8b19e7 gnupg-w32cli-1.4.2.2.exe - - - -Background: -=========== - -OpenPGP messages are made up of packets. The signed data is a packet, -the actual signature is a packet and there are several control packets -as well. For example: - - O + D + S - -This describes a standard signed message made made up of a control -packet (O for one-pass signature packet), the actual signed data (D) -and the actual signature packet (S). gpg checks that the signature S -is valid over the data D. This is actually easy if not OpenPGP and -GnuPG would have a long tradition of changing the fromats. PGP 2 -versions used a different way of composing these packets: - - S + D - -and early versions of gpg, released before RFC2440, even created - - D + S - -i.e. without the one-pass packet. Still this would all be easy to -process properly but in an ill-advised attempt to make things easier, -gpg allowed the processing of multiple signatures per file, like - - O1 + D1 + S1 + O2 + D2 + S2 - -where two standard signatures are concatenated. Now when combining -this with the other variants of signatures, things get really messy -and it is not always possible to assocciate the signature (S) with the -signed data (D). gpg checked that this all works but unfortunately -these checks are not sufficient enough. The attack is to change a -standard message to inject faked data (F). A simple case is this: - - F + O + D + S - -gpg now happily skips F for verification and does a proper signature -verification of D and if this succeeds, prints a positive result. -However when asked to output the actual signed data it will output the -concatenation of F + D and thus create the impression that both are -covered by the signature. Depending on how gpg is invoked (in a -pipeline or using --output) it may even output just F and not at all -D. There are several variants of the attack in where to put the faked -data. - -The only correct solution to this problem is to get rid of the feature -to check concatenated signatures - this allows for strict checking of -valid packet composition. This is what has been done in 1.4.2.2 and -in the forthcoming 1.4.3rc2. These versions accept signatures only if -they are composed of - - O + D + S - S + D - -Cleartext signatures are of course also supported, they are similiar -to the O+D+S case. - -The actual checking for valid signature packet composition is done at -g10/mainproc.c, at the top of check_sig_and_print(). - - -Thanks -====== - -Tavis Ormandy again poked on gpg and found this vulnerability. - -The new version has been released yesterday and should by now be -available on all mirrors. - - - - -[1] http://lists.gnupg.org/mailman/listinfo/gnupg-devel -[2] http://www.gnupg.org/related_software/gpgme -[3] http://www.gpg4win.org |