---

Home Security

Caldera Systems Security Advisory: verification bug in gnupg

By

Date: Thu, 19 Oct 2000 11:14:17 -0600
From: Caldera Support Info sup-info@LOCUTUS4.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Update: verification bug in gnupg

                   Caldera Systems, Inc.  Security Advisory
 
Subject:                verification bug in gnupg
Advisory number:        CSSA-2000-038.0
Issue date:             2000 October, 18
Cross reference:

1. Problem Description

There is a bug in the signature verification of GNUpg, the GNU
replacement for PGP.

Normally, signature verification with gnupg works as expected;
gnupg properly detects when digitally signed data has been tampered
with.

However, these checks do not work properly if there are several
sections with inline signatures within a single file. In this case,
GNUpg does not always detect when some of the signed portions have
been modified, and incorrectly claims that all signatures are
valid.

2. Vulnerable Versions

                                                                     
   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        not vulnerable
 
   OpenLinux eServer 2.3        not vulnerable
   and OpenLinux eBuilder
 
   OpenLinux eDesktop 2.4       All packages previous to
                                gnupg-1.0.4-2

3. Solution

Workaround:

None

4. OpenLinux Desktop 2.3

not vulnerable

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential
3.0

not vulnerable

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:


ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:


ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

       3892693d729a46acc587dcece5a59f7c  RPMS/gnupg-1.0.4-2.i386.rpm
       407234b6c1381ed0e4e22ae99b88ba3f  SRPMS/gnupg-1.0.4-2.src.rpm

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv gnupg-1.0.4-2.i386.rpm

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera’s internal Problem Report
7996.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.

9. Acknowledgements

Caldera Systems wishes to thank Werner Koch, the author of
GNUpg, for his work, and cooperation.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.