Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw Discovered in GPG

Posted by ryuzaki0 on from the enemy-within dept.

WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."

2 of 151 comments (clear)

  1. Don't forget Win95! by Un-Thesis · · Score: 0, Troll

    Don't forget the RSA key that had the words "NSA key" in the debug symbols that first made it into windows 98 and stayed there until WinXP SP2!! I feel these things are probably very prevalent; it's already common knowledge every U.S. ISP is pwned by their black boxes, usually also loaned to the FBI and then false-flagged as 'carnivore' (in reality it's an outcropping of ECHELON...err, now ADVISE (see my slashdotted story...)

    --
    Promote freedom; fight fascism.
  2. Re:Not a fundamental flaw. by Anonymous Coward · · Score: 0, Troll

    Ah, the famous "I want to be near the top, so I will reply to something that isn't related to what I am posting so I can get karma".