from gnupg.org:
Signature verification of non-detached signatures may give a positive
result but when extracting the signed data, this data may be prepended
or appended with extra data not covered by the signature. Thus it is
possible for an attacker to take any signed message and inject extra
arbitrary data.
The security issue is caused due to "gpgv" exiting with a return code
of 0 even if the detached signature file did not carry any signature.
This may result in certain scripts that use "gpgv" to conclude that
the signature is correctly verified.
More info: http://secunia.com/advisories/18845/
ok bernd@ pvalchev@
memory if swap encryption is disabled. (It's enabled by default.)
This supersedes pkg/MESSAGE.
Regen patches with update-patches while I'm here. Bump PKGNAME.
idea and ok espie@
A bug was discovered in the key validation code. This bug causes keys
with more than one user ID to give all user IDs on the key the amount
of validity given to the most-valid key.
http://marc.theaimsgroup.com/?l=bugtraq&m=105215110111174&w=2
--
MAINTAINER ok
- move idea patches to patches directory.
- remove unneeded patch-cipher_Makefile_am.
- remove deprecated NEED_VERSION.
you need an updated gas for this to work on i386.
discussed with reinhard@.
*) Fixed a format string bug which is exploitable if --batch is not used.
*) Checked all translations for format strings bugs.
*) Removed the Russian translation due to too many bugs.
*) Fixed keyserver access and expire time calculation.
ok maintainer
patch from:
Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
# http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff
# http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff.asc
It introduces additional consistency checks, as suggested by the
authors of the paper. The checks are slightly different, but they
make the two additional attacks infeasible, I think. In the future,
it might be a good idea to add a check the generated signature for
validity, this will detect bugs in the MPI implementation which could
result in a revealed secret key, too.
ok markus@
