GnuPG does not detect injection of unsigned data

ID 948921AD-AFBC-11DA-BAD9-02E081235DAB
Type freebsd
Reporter FreeBSD
Modified 2006-03-11T00:00:00


Werner Koch reports:

In the aftermath of the false positive signature verfication bug (announced 2006-02-15) more thorough testing of the fix has been done and another vulnerability has been detected. This new problem affects the use of gpg for verification of signatures which are not detached signatures. The problem also affects verification of signatures embedded in encrypted messages; i.e. standard use of gpg for mails.