On Wed, Feb 15, 2006 at 08:49:25AM +0100, Werner Koch wrote:
> False positive signature verification in GnuPG
> ==============================================
>
> Summary
> =======
>
> The Gentoo project identified a security related bug in GnuPG. When
> using any current version of GnuPG for unattended signature
> verification (e.g. by scripts and mail programs), false positive
> signature verification of detached signatures may occur.
>
> This problem affects the tool gpgv, as well as using "gpg --verify"
> to imitate gpgv, if only the exit code of the process is used to
> decide whether a detached signature is valid. This is a plausible
> mode of operation for gpgv.
There is also another signature checking related bug, but not acknowledged
by Werner.
gpg -o xx xx.asc with the attached ASCII signature protected file does
not return an error on a crafted signature.
gpg version before 1.4 did fail on this, gpg 1.4 does not.
$ gpg -o xx xx.asc
gpg: malformed CRC
$ echo $?
2
$
1.4 does accept it:
$ gpg -o xx xx.asc
$ echo $?
0
$
While files with other content report:
$ gpg -o xx xx.any
gpg: no valid OpenPGP data found.
gpg: processing message failed: eof
$ echo $?
2
$
The SUSE Security Team still considers this a bug, even if upstream does not.
Ciao, Marcus