Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200602-10
HistoryFeb 18, 2006 - 12:00 a.m.

GnuPG: Incorrect signature verification

2006-02-1800:00:00
Gentoo Foundation
security.gentoo.org
8

0.001 Low

EPSS

Percentile

46.0%

JSON

Background

GnuPG (The GNU Privacy Guard) is a free replacement for PGP (Pretty Good Privacy). As GnuPG does not rely on any patented algorithms, it can be used without any restrictions. gpgv is the OpenPGP signature verification tool provided by the GnuPG system.

Description

Tavis Ormandy of the Gentoo Linux Security Auditing Team discovered that automated systems relying on the return code of GnuPG or gpgv to authenticate digital signatures may be misled by malformed signatures. GnuPG documentation states that a return code of zero (0) indicates success, however gpg and gpgv may also return zero if no signature data was found in a detached signature file.

Impact

An attacker may be able to bypass authentication in automated systems relying on the return code of gpg or gpgv to authenticate digital signatures.

Workaround

There is no known workaround at this time.

Resolution

All GnuPG users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.2.1"
OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-crypt/gnupg< 1.4.2.1UNKNOWN

Related

nessus 11
freebsd 1
openvas 12
prion 2
debian 2
cve 2
debiancve 2
ubuntucve 2
ubuntu 1
suse 3
redhat 1
centos 2
slackware 1
nessus
nessus
Debian DSA-978-1 : gnupg - programming error
2006-10-14 00:00:00
SUSE-SA:2006:009: gpg,liby2util
2006-02-22 00:00:00
GLSA-200602-10 : GnuPG: Incorrect signature verification
2006-02-19 00:00:00
freebsd
freebsd
gnupg -- false positive signature verification
2006-02-15 00:00:00
openvas
openvas
SLES9: Security update for gpg
2009-10-10 00:00:00
Debian Security Advisory DSA 978-1 (gnupg)
2008-01-17 00:00:00
FreeBSD Ports: gnupg
2008-09-04 00:00:00
prion
prion
Code injection
2006-02-15 22:06:00
Code injection
2006-03-13 21:06:00
debian
debian
[SECURITY] [DSA 978-1] New GnuPG packages fix invalid success return
2006-02-17 08:30:50
[SECURITY] [DSA 978-1] New GnuPG packages fix invalid success return
2006-02-17 00:00:00
cve
cve
CVE-2006-0455
2006-02-15 22:06:00
CVE-2006-0049
2006-03-13 21:06:00
debiancve
debiancve
CVE-2006-0455
2006-02-15 22:06:00
CVE-2006-0049
2006-03-13 21:06:00
ubuntucve
ubuntucve
CVE-2006-0455
2006-02-15 00:00:00
CVE-2006-0049
2006-03-13 00:00:00
ubuntu
ubuntu
gnupg vulnerability
2006-02-18 00:00:00
suse
suse
remote code execution in gpg
2006-03-10 17:18:31
remote code execution in gpg,liby2util
2006-03-01 09:23:07
remote code execution in gpg,liby2util
2006-02-20 16:55:38
redhat
redhat
(RHSA-2006:0266) gnupg security update
2006-03-15 00:00:00
centos
centos
gnupg security update
2006-03-21 22:54:57
gnupg security update
2006-03-16 00:53:16
slackware
slackware
[slackware-security] gnupg
2006-03-14 04:59:29

0.001 Low

EPSS

Percentile

46.0%

JSON
Related for GLSA-200602-10
nessus11freebsd1openvas12prion2debian2cve2debiancve2ubuntucve2ubuntu1suse3redhat1centos2slackware1