Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw Discovered in GPG

Posted by ryuzaki0 on from the enemy-within dept.

WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."

23 of 151 comments (clear)

  1. Oh no! by MyLongNickName · · Score: 4, Funny

    A serious security issue in GPG! We are all doomed!

    what is GPG?

    Yeah, I will go RTFA. However, summaries that assume you are familiar with an acronym are rude, IMHO ;)

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    1. Re:Oh no! by pete-classic · · Score: 3, Funny

      What the fuck is an IMHO, and what does it have to do with a RTFA?

      -Peter

    2. Re:Oh no! by xchino · · Score: 3, Funny

      Mod parent down. What a disgusting display of arrogance and elitism. You're the one who shouldn't be here, regardless of how low your UID is.

      "If you do not know what GPG is, you're not a nerd - and you're on the wrong site."

        I think about 98% of the science department at any college would tell you exactly what a fucking idiot you are for making such a broadly stupid statement. Are you seriously so deluded that you think the only type of nerd is a computer nerd? And that all computer nerds have heard of this one specific release of a technology rarely used even in business environments? The majority of nerds and geeks don't know what GPG is. People like you and me are the minority, fucking get over it, and get over yourself.

      "Seriously: Go away."

      Fuck you, you go away. I'd take a complete know-nothing over an arrogant asshole anyday. People like you detract from the value of this site. No one gives a shit you've been here since the 90's. Why don't you go have a plaque made to hang up on your bedrooom wall to show how cool you are? Do you put your slashdot UID on resumes as an acheivement?

      "Rude is to be at a site where you obviously do not belong - irritating the people who has frequented the site since the 90s."

        Rude is to act like you are the sole arbitrator of who should and should not be allowed to voice their opinion on an open forum, like you're the fucking gestapo or something. Given the recent history of postings The GP has, in the eyes of the users of this site, a better quality of contribution than You.

        Based on your attitude I can only assume you are a sad, pathetic man, with delusions of some sort of elevated importance via seniority. I, as well as the majority of slashdotter welcome ANYONE who is interested in science, technology, gaming, or any of the various subjects that slashdot covers, including politics, regardless of their ignorance of a certain subject or technology. You're nothing but an eSnob.

      --
      Everyone is entitled to their own opinion. It's just that yours is stupid.
  2. Whew! by suso · · Score: 4, Funny

    Its a good thing I don't use GPG to sign my emails. Oh wait.

    1. Re:Whew! by Anonymous Coward · · Score: 5, Funny

      I have been publishing my GPG key for over a year now and I have yet to have anyone send me an encrypted email. I feel really lonely and unpopular. I'd even read encrypted penis enlargement spam if someone would be thoughtful enough to send me some.

  3. Bug Intentionally Placed? by Un-Thesis · · Score: 2, Funny

    For all the tinfoil hat people out there, I propose that the bug may have been placed intentionally, since GnuPG is, in fact, an opensource community project. So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos. Maybe a full accounting as to when the bug got there, how it got there, who put it there and the chances of it being purely human error are to be demanded? After all, some people (including myself) have invested some very expensive stakes in the security of GnuPG over the years.

    HopeSeekr of xMule

    --
    Promote freedom; fight fascism.
    1. Re:Bug Intentionally Placed? by Saeed+al-Sahaf · · Score: 4, Funny

      The NSA secretly seeding Open Source with ingeniously crafted back doors? Never! Not our NSA...

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    2. Re:Bug Intentionally Placed? by From+A+Far+Away+Land · · Score: 5, Funny

      Do you suppose the NSA is also responsible for the backdoor exploit on the Goatse guy?

      --
      Oh You POS
    3. Re:Bug Intentionally Placed? by Anonymous Coward · · Score: 5, Funny

      No that was a widely known and exploited crack.

  4. hang on, i'll tell him by Anonymous Coward · · Score: 1, Funny


    that GPG user lives downstairs i'll just tell him there is a problem

  5. Well , What is GPG? by baomike · · Score: 4, Funny

    Sound like a movie rating.

  6. Aha! by evil+agent · · Score: 5, Funny

    She thought she could get rid of me with that rejection via email. Now I've got reasonable doubt about her feelings. Until I get that court order, of course.

    --
    End transmission.
    1. Re:Aha! by Anonymous Coward · · Score: 4, Funny

      well, if you're lucky the court order will come by email too.

  7. Re:Don't forget Win95! by JustOK · · Score: 5, Funny

    Don't you think they're smart enough to think that you would think they weren't that stupid?

    --
    rewriting history since 2109
  8. Re:Don't forget Win95! by Sloppy · · Score: 4, Funny

    I'm not even smart enough to understand what you just said.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  9. Someone should get fired by Yoik · · Score: 3, Funny

    That information should never have been released! The negative press will impact sales. It would have been better to pretend the bug never existed.

    Oh, it isn't corporate product, nevermind.

  10. check.. by dotpavan · · Score: 4, Funny

    did anybody cross-check the authenticity of that warning? I wont accept that until I verify its GPG key :)

  11. Re:Double Bag That Burger by TPS+Report · · Score: 5, Funny

    Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message.

    That's an awesome idea. I'm going to start doing that right now! :P

    This is a multi-part message in MIME format.
    ------=_NextPart_000_0012_01C22048.805E68 00
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit Test ------=_
    NextPart_000_0012_01C22048.805E6800 Content-Type:

    application/x-pkcs7-signature; name="smime.p7s"

    Content-Transfer-Encoding: base64 Content-Disposition:
    attachment; filename="smime.p7s"</b>
    MIAGCSqGSIb3DQEHAqCAMIAC AQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAo
    IIKGDCC Ajww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF 8xC
    zAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ
    2xhc3Mg MSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeF
    w05NjAxMjkwMDAwMDBa Fw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwF
    QYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3 MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgU
    HJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCB nzANBgkqhkiG9w0BAQEFAA
    OBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIgu VzqKCbJF
    0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzR
    QR 4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAAT
    ANBgkqhkiG9w0B AQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND
    3GUJoQhoyqPzuoBPw3UpXD2cnb zfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/
    uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2 Raa2Nrngv2U2k8LS12vc3lnWojX
    RTCCAy4wggKXoAMCAQICE QDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAM
    F8xC zAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1 UEC
    xMuQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0e
    TAeFw05 ODA1MTIwMDAwMDBaFw0wODA1MTIy MzU5NTlaMIHMMRcwFQYDVQQKEw5WZ
    XJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGM
    EQGA1UECxM9d3d3LnZlcmlzaWduLmNv bS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuI
    EJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/ VmVyaVNpZ24gQ2xhc3MgMS
    BDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaW RhdGVkMI
    GfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DU
    qy b5xUv7zodyqdufBou5XZMUFweoFL uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/
    vCO7u+yScKXbaw NkIztW5UiE+HSr8Z2vkV6A+Hthzj zMaajn9qJJLj/OBluqexfu
    /J2zdqyErICQbkmQIDAQABo3ww ejARBglghkgBhvhCAQEEBAMCAQYw RwYDVR0gBE
    AwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUF BwIBFh93d3cudmVyaXNpZ24uY29
    t L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR 0PBAQDAgEGMA0
    GCSqGSIb3DQEB AgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5 g
    MB4ZbhRVqD7lJhaSV8Rd9Z7R/ LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcj
    jF7WkSUJj 7MKmFw9dWBpJPJBcVaNlIAD9GCDl X4KmsaiSxVhqwY0DPOvDzQWikK5
    uMIIEojCCBAugAwIBAgIQ BUy90AsJrAtbnO8CULdhXDANBgkq hkiG9w0BAQIFADC
    BzDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xHzAdBgNVBAsTFlZlcmlTaWdu IFR
    ydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2ln bi5jb20vcmVwb3NpdG9y
    eS9SUEEg SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBA MTP1Zl
    cmlTaWduIENsYXNzIDEg Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg
    Tm90 IFZhbGlkYXRlZDAeFw0wMTA3MTYw MDAwMDBaFw0wMjA3MTYyMzU5NTlaMIIB
    FDEXMBUGA1UEChMO VmVyaVNpZ24sIEluYy4xHzAdBgNV BAsTFlZlcmlTaWduIFRy
    dXN0IE5ldHdvcmsxRjBEBgNVBAsT PXd3dy52ZXJpc2lnbi5jb20vcmVw b3NpdG9y
    eS9SUEEgSW5jb

    --
    I was told that I could listen to the radio at a reasonable volume from nine to eleven...
  12. Damn Microsoft!! by Anonymous Coward · · Score: 4, Funny

    I'm tired of their insecure crap! Oh wait, its GNU open source? In that case, you lazy bastard end users should have fixed it yourself!

  13. Quick! by SuperKendall · · Score: 3, Funny

    Better assign a security Czar!

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  14. Re:GPG is: by realbadjuju · · Score: 2, Funny

    Mod parent up, since he's right...

  15. Re:Double Bag That Burger by LS · · Score: 5, Funny


    How in the F*** did THAT make it through the lameness filters?!

    --
    There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
  16. It could happen... by Anonymous Coward · · Score: 1, Funny

    Dear Alice,
                            Have you heard? GPG has a bug in it that lets people append data to a signed email message! What are we going to do to stop Malory from attacking us?

    Sincerely,
    Bob

    PS. Jus7 k!dd!ng! 1ts n0t 7ru3! I'm t@lk!ng thr0ugh my @$$!! LOLOLOLOLOL