Security Flaw Discovered in GPG

WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."

Not a fundamental flaw.

[aprilsound]

From TFA:

The attack is to change a standard message to inject faked data (F). A simple case is this: F + O + D + S gpg now happily skips F for verification and does a proper signature verification of D and if this succeeds, prints a positive result. However when asked to output the actual signed data it will output the concatenation of F + D and thus create the impression that both are covered by the signature.

So this is a simple mistake made by GPG, in an effort to coexist well with email and the like.

In other words, GPG looks at an email message and sees headers and the like. Of course, the headers were not signed (just the message), so GPG skips them and when it encounters the signed message, it begins to verify the signature.

So, if you are an attacker, you insert something before or after the signed message, and when GPG goes to verify it, the signed message passes, but GPG nicely prints out the whole message for you, instead of just the signed part. Oops, not a big deal, encryption isn't broken, in fact this is just an application bug.

Re:Not a fundamental flaw.

[linhux]

Sorry, but this like a big deal to me. The whole point of digital signatures is that you can know exactly what has been signed by the signer -- and be sure that nothing has been added and removed on the way. Consider this e-mail:

From: BOSS@CORPORATE.COM
To: MIDDLEMANAGER@CORPORATE.COM
Subject: Employee Burt Reynolds

That's a fine lad! Let's give him a raise!

-- Boss

GPG SIGNATURE VERIFIED: BOSS@CORPORATE.COM

Now, this message can be intercepted and a new part inserted before the actual message body, without the receiver being notified -- here I have marked the new part with bold text:

From: BOSS@CORPORATE.COM
To: MIDDLEMANAGER@CORPORATE.COM
Subject: Employee Burt Reynolds

Fire him immediately. He is a waste of space.

Employee Foo Bar, on the other hand. That's a fine lad! Let's give him a raise!

-- Boss

GPG SIGNATURE VERIFIED: BOSS@CORPORATE.COM

The message meaning has been completely altered, and GPG still verifies the signature. Feels like a big deal to me. But of course, I might have completely missed something.

Re:Oh no!

[Anonymous+Crowhead]

It's funny. Back in the day, when Slashdot was cool, almost everyone would know what GPG was. Most of the articles were like this one. Cool stuff about cool technology. Not politics (aside from GNU) and all the other crap like the "new mouse/keyboard techonolgy of the week" adverts that permeates Slashdot these days.

Re:GPG is:

[Martin+Blank]

Not as bad as an atom bomb, but classified along with, say, machineguns and antitank rockets. The software actually got out of the country legally by way of printing it in book format (which was not considered software at the time) and then scanning it in another country and using character recognition and a good deal of editing time to get it to compile properly.

This was also a primary catalyst for the argument of how strong exportable encryption should be, and which brought the encryption debate out into the public eye. Had he not done this, we might be a few years behind our current status, just having finished accepted the appropriateness of exporting heavy encryption.