Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw Discovered in GPG

Posted by ryuzaki0 on from the enemy-within dept.

WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."

15 of 151 comments (clear)

  1. Oh no! by MyLongNickName · · Score: 4, Funny

    A serious security issue in GPG! We are all doomed!

    what is GPG?

    Yeah, I will go RTFA. However, summaries that assume you are familiar with an acronym are rude, IMHO ;)

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  2. Whew! by suso · · Score: 4, Funny

    Its a good thing I don't use GPG to sign my emails. Oh wait.

    1. Re:Whew! by Anonymous Coward · · Score: 5, Funny

      I have been publishing my GPG key for over a year now and I have yet to have anyone send me an encrypted email. I feel really lonely and unpopular. I'd even read encrypted penis enlargement spam if someone would be thoughtful enough to send me some.

  3. Re:Bug Intentionally Placed? by Saeed+al-Sahaf · · Score: 4, Funny

    The NSA secretly seeding Open Source with ingeniously crafted back doors? Never! Not our NSA...

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  4. Well , What is GPG? by baomike · · Score: 4, Funny

    Sound like a movie rating.

  5. Aha! by evil+agent · · Score: 5, Funny

    She thought she could get rid of me with that rejection via email. Now I've got reasonable doubt about her feelings. Until I get that court order, of course.

    --
    End transmission.
    1. Re:Aha! by Anonymous Coward · · Score: 4, Funny

      well, if you're lucky the court order will come by email too.

  6. Re:Don't forget Win95! by JustOK · · Score: 5, Funny

    Don't you think they're smart enough to think that you would think they weren't that stupid?

    --
    rewriting history since 2109
  7. Re:Don't forget Win95! by Sloppy · · Score: 4, Funny

    I'm not even smart enough to understand what you just said.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  8. check.. by dotpavan · · Score: 4, Funny

    did anybody cross-check the authenticity of that warning? I wont accept that until I verify its GPG key :)

  9. Re:Double Bag That Burger by TPS+Report · · Score: 5, Funny

    Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message.

    That's an awesome idea. I'm going to start doing that right now! :P

    This is a multi-part message in MIME format.
    ------=_NextPart_000_0012_01C22048.805E68 00
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit Test ------=_
    NextPart_000_0012_01C22048.805E6800 Content-Type:

    application/x-pkcs7-signature; name="smime.p7s"

    Content-Transfer-Encoding: base64 Content-Disposition:
    attachment; filename="smime.p7s"</b>
    MIAGCSqGSIb3DQEHAqCAMIAC AQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAo
    IIKGDCC Ajww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF 8xC
    zAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ
    2xhc3Mg MSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeF
    w05NjAxMjkwMDAwMDBa Fw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwF
    QYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3 MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgU
    HJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCB nzANBgkqhkiG9w0BAQEFAA
    OBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIgu VzqKCbJF
    0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzR
    QR 4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAAT
    ANBgkqhkiG9w0B AQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND
    3GUJoQhoyqPzuoBPw3UpXD2cnb zfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/
    uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2 Raa2Nrngv2U2k8LS12vc3lnWojX
    RTCCAy4wggKXoAMCAQICE QDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAM
    F8xC zAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1 UEC
    xMuQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0e
    TAeFw05 ODA1MTIwMDAwMDBaFw0wODA1MTIy MzU5NTlaMIHMMRcwFQYDVQQKEw5WZ
    XJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGM
    EQGA1UECxM9d3d3LnZlcmlzaWduLmNv bS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuI
    EJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/ VmVyaVNpZ24gQ2xhc3MgMS
    BDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaW RhdGVkMI
    GfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DU
    qy b5xUv7zodyqdufBou5XZMUFweoFL uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/
    vCO7u+yScKXbaw NkIztW5UiE+HSr8Z2vkV6A+Hthzj zMaajn9qJJLj/OBluqexfu
    /J2zdqyErICQbkmQIDAQABo3ww ejARBglghkgBhvhCAQEEBAMCAQYw RwYDVR0gBE
    AwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUF BwIBFh93d3cudmVyaXNpZ24uY29
    t L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR 0PBAQDAgEGMA0
    GCSqGSIb3DQEB AgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5 g
    MB4ZbhRVqD7lJhaSV8Rd9Z7R/ LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcj
    jF7WkSUJj 7MKmFw9dWBpJPJBcVaNlIAD9GCDl X4KmsaiSxVhqwY0DPOvDzQWikK5
    uMIIEojCCBAugAwIBAgIQ BUy90AsJrAtbnO8CULdhXDANBgkq hkiG9w0BAQIFADC
    BzDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xHzAdBgNVBAsTFlZlcmlTaWdu IFR
    ydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2ln bi5jb20vcmVwb3NpdG9y
    eS9SUEEg SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBA MTP1Zl
    cmlTaWduIENsYXNzIDEg Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg
    Tm90 IFZhbGlkYXRlZDAeFw0wMTA3MTYw MDAwMDBaFw0wMjA3MTYyMzU5NTlaMIIB
    FDEXMBUGA1UEChMO VmVyaVNpZ24sIEluYy4xHzAdBgNV BAsTFlZlcmlTaWduIFRy
    dXN0IE5ldHdvcmsxRjBEBgNVBAsT PXd3dy52ZXJpc2lnbi5jb20vcmVw b3NpdG9y
    eS9SUEEgSW5jb

    --
    I was told that I could listen to the radio at a reasonable volume from nine to eleven...
  10. Damn Microsoft!! by Anonymous Coward · · Score: 4, Funny

    I'm tired of their insecure crap! Oh wait, its GNU open source? In that case, you lazy bastard end users should have fixed it yourself!

  11. Re:Bug Intentionally Placed? by From+A+Far+Away+Land · · Score: 5, Funny

    Do you suppose the NSA is also responsible for the backdoor exploit on the Goatse guy?

    --
    Oh You POS
  12. Re:Bug Intentionally Placed? by Anonymous Coward · · Score: 5, Funny

    No that was a widely known and exploited crack.

  13. Re:Double Bag That Burger by LS · · Score: 5, Funny


    How in the F*** did THAT make it through the lameness filters?!

    --
    There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie