Debian Security Advisory: two gpg problemsDec 25, 2000, 05:27 (0 Talkback[s])
Date: Mon, 25 Dec 2000 05:34:02 +0100
Debian Security Advisory DSA-010-1 email@example.com http://www.debian.org/security/ Wichert Akkerman December 25, 2000
Package : gnupg Problem type : cheating with detached signatures, circumvention of web of trust Debian-specific: noTwo bugs in GnuPG have recently been found:
1. false positives when verifying detached signatures
There is a problem in the way gpg checks detached signatures which can lead to false positives. Detached signature can be verified with a command like this:
gpg --verify detached.sig < mydata
If someone replaced detached.sig with a signed text (ie not a detached signature) and then modified mydata gpg would still report a successfully verified signature.
To fix the way the --verify option works has been changes: it now needs two options when verifying detached signatures: both the file with the detached signature, and the file with the data to be verified. Please note that this makes it incompatible with older versions!
2. secret keys are silently imported
Florian Weimer discovered that gpg would import secret keys from key-servers. Since gpg considers public keys corresponding to known secret keys to be ultimately trusted an attacked can use this circumvent the web of trust.
To fix this a new option was added to to tell gpg it is allowed to import secret keys: --allow-key-import.
Both these fixes are in version 1.0.4-1.1 and we recommend that you upgrade your gnupg package immediately.
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.Debian GNU/Linux 2.2 alias potato
Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
Intel ia32 architecture:
Motorola 680x0 architecture:
Sun Sparc architecture:
These files will be moved into
For not yet released architectures please refer to the