gpg flaw

March 22nd, 2006

GnuPG does not detect injection of unsigned data
(released 2006-03-09, CVE-2006-0049)


In the aftermath of the false positive signature verfication bug
(announced 2006-02-15) more thorough testing of the fix has been done
and another vulnerability has been detected.



Signature verification of non-detached signatures may give a positive
result but when extracting the signed data, this data may be prepended
or appended with extra data not covered by the signature. Thus it is
possible for an attacker to take any signed message and inject extra
arbitrary data.

Detached signatures (a separate signature file) are not affected.

All versions of gnupg prior to are affected.


GPG [announce]

Those of you using earlier versions of GPG will no doubt want to upgrade.

Leave a Reply

You must be logged in to post a comment.