Forgot your password?
typodupeerror

Security Flaw Discovered in GPG 151

Posted by CowboyNeal
from the enemy-within dept.
WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."
This discussion has been archived. No new comments can be posted.

Security Flaw Discovered in GPG

Comments Filter:
  • Oh no! (Score:4, Funny)

    by MyLongNickName (822545) on Thursday March 09, 2006 @10:24PM (#14888032) Journal
    A serious security issue in GPG! We are all doomed!

    what is GPG?

    Yeah, I will go RTFA. However, summaries that assume you are familiar with an acronym are rude, IMHO ;)
  • Whew! (Score:5, Funny)

    by suso (153703) * on Thursday March 09, 2006 @10:25PM (#14888037) Homepage Journal
    Its a good thing I don't use GPG to sign my emails. Oh wait.
  • by Un-Thesis (700342) on Thursday March 09, 2006 @10:27PM (#14888047) Homepage

    For all the tinfoil hat people out there, I propose that the bug may have been placed intentionally, since GnuPG is, in fact, an opensource community project. So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos. Maybe a full accounting as to when the bug got there, how it got there, who put it there and the chances of it being purely human error are to be demanded? After all, some people (including myself) have invested some very expensive stakes in the security of GnuPG over the years.

    HopeSeekr of xMule

  • by Saeed al-Sahaf (665390) on Thursday March 09, 2006 @10:29PM (#14888057) Homepage
    The NSA secretly seeding Open Source with ingeniously crafted back doors? Never! Not our NSA...
  • by Anonymous Coward on Thursday March 09, 2006 @10:29PM (#14888058)

    that GPG user lives downstairs i'll just tell him there is a problem

  • by baomike (143457) on Thursday March 09, 2006 @10:35PM (#14888079)
    Sound like a movie rating.
  • Aha! (Score:5, Funny)

    by evil agent (918566) on Thursday March 09, 2006 @10:35PM (#14888081)
    She thought she could get rid of me with that rejection via email. Now I've got reasonable doubt about her feelings. Until I get that court order, of course.
  • by JustOK (667959) on Thursday March 09, 2006 @11:03PM (#14888203) Journal
    Don't you think they're smart enough to think that you would think they weren't that stupid?
  • Re:Aha! (Score:4, Funny)

    by Anonymous Coward on Thursday March 09, 2006 @11:10PM (#14888233)
    well, if you're lucky the court order will come by email too.
  • by Sloppy (14984) on Thursday March 09, 2006 @11:20PM (#14888277) Homepage Journal
    I'm not even smart enough to understand what you just said.
  • by Yoik (955095) on Thursday March 09, 2006 @11:24PM (#14888295) Journal
    That information should never have been released! The negative press will impact sales. It would have been better to pretend the bug never existed.

    Oh, it isn't corporate product, nevermind.
  • check.. (Score:5, Funny)

    by dotpavan (829804) on Thursday March 09, 2006 @11:25PM (#14888301) Homepage
    did anybody cross-check the authenticity of that warning? I wont accept that until I verify its GPG key :)
  • by TPS Report (632684) on Thursday March 09, 2006 @11:32PM (#14888332) Homepage

    Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message.

    That's an awesome idea. I'm going to start doing that right now! :P

    This is a multi-part message in MIME format.
    ------=_NextPart_000_0012_01C22048.805E68 00
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit Test ------=_
    NextPart_000_0012_01C22048.805E6800 Content-Type:

    application/x-pkcs7-signature; name="smime.p7s"

    Content-Transfer-Encoding: base64 Content-Disposition:
    attachment; filename="smime.p7s"</b>
    MIAGCSqGSIb3DQEHAqCAMIAC AQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAo
    IIKGDCC Ajww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF 8xC
    zAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ
    2xhc3Mg MSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeF
    w05NjAxMjkwMDAwMDBa Fw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwF
    QYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3 MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgU
    HJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCB nzANBgkqhkiG9w0BAQEFAA
    OBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIgu VzqKCbJF
    0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzR
    QR 4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAAT
    ANBgkqhkiG9w0B AQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND
    3GUJoQhoyqPzuoBPw3UpXD2cnb zfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/
    uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2 Raa2Nrngv2U2k8LS12vc3lnWojX
    RTCCAy4wggKXoAMCAQICE QDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAM
    F8xC zAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1 UEC
    xMuQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0e
    TAeFw05 ODA1MTIwMDAwMDBaFw0wODA1MTIy MzU5NTlaMIHMMRcwFQYDVQQKEw5WZ
    XJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGM
    EQGA1UECxM9d3d3LnZlcmlzaWduLmNv bS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuI
    EJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/ VmVyaVNpZ24gQ2xhc3MgMS
    BDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaW RhdGVkMI
    GfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DU
    qy b5xUv7zodyqdufBou5XZMUFweoFL uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/
    vCO7u+yScKXbaw NkIztW5UiE+HSr8Z2vkV6A+Hthzj zMaajn9qJJLj/OBluqexfu
    /J2zdqyErICQbkmQIDAQABo3ww ejARBglghkgBhvhCAQEEBAMCAQYw RwYDVR0gBE
    AwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUF BwIBFh93d3cudmVyaXNpZ24uY29
    t L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR 0PBAQDAgEGMA0
    GCSqGSIb3DQEB AgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5 g
    MB4ZbhRVqD7lJhaSV8Rd9Z7R/ LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcj
    jF7WkSUJj 7MKmFw9dWBpJPJBcVaNlIAD9GCDl X4KmsaiSxVhqwY0DPOvDzQWikK5
    uMIIEojCCBAugAwIBAgIQ BUy90AsJrAtbnO8CULdhXDANBgkq hkiG9w0BAQIFADC
    BzDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xHzAdBgNVBAsTFlZlcmlTaWdu IFR
    ydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2ln bi5jb20vcmVwb3NpdG9y
    eS9SUEEg SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBA MTP1Zl
    cmlTaWduIENsYXNzIDEg Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg
    Tm90 IFZhbGlkYXRlZDAeFw0wMTA3MTYw MDAwMDBaFw0wMjA3MTYyMzU5NTlaMIIB
    FDEXMBUGA1UEChMO VmVyaVNpZ24sIEluYy4xHzAdBgNV BAsTFlZlcmlTaWduIFRy
    dXN0IE5ldHdvcmsxRjBEBgNVBAsT PXd3dy52ZXJpc2lnbi5jb20vcmVw b3NpdG9y
    eS9SUEEgSW5jb

  • by Anonymous Coward on Thursday March 09, 2006 @11:32PM (#14888335)
    I'm tired of their insecure crap! Oh wait, its GNU open source? In that case, you lazy bastard end users should have fixed it yourself!
  • by From A Far Away Land (930780) on Thursday March 09, 2006 @11:44PM (#14888401) Homepage Journal
    Do you suppose the NSA is also responsible for the backdoor exploit on the Goatse guy?
  • Quick! (Score:4, Funny)

    by SuperKendall (25149) * on Thursday March 09, 2006 @11:50PM (#14888441)
    Better assign a security Czar!
  • Re:Whew! (Score:5, Funny)

    by Anonymous Coward on Friday March 10, 2006 @12:31AM (#14888598)
    I have been publishing my GPG key for over a year now and I have yet to have anyone send me an encrypted email. I feel really lonely and unpopular. I'd even read encrypted penis enlargement spam if someone would be thoughtful enough to send me some.
  • Re:Oh no! (Score:3, Funny)

    by pete-classic (75983) <hutnick@gmail.com> on Friday March 10, 2006 @12:41AM (#14888625) Homepage Journal
    What the fuck is an IMHO, and what does it have to do with a RTFA?

    -Peter
  • Re:GPG is: (Score:2, Funny)

    by realbadjuju (870896) on Friday March 10, 2006 @01:20AM (#14888738)
    Mod parent up, since he's right...
  • by Anonymous Coward on Friday March 10, 2006 @01:44AM (#14888802)
    No that was a widely known and exploited crack.
  • by LS (57954) on Friday March 10, 2006 @03:06AM (#14889033) Homepage

    How in the F*** did THAT make it through the lameness filters?!
  • Re:Oh no! (Score:3, Funny)

    by xchino (591175) on Friday March 10, 2006 @04:39AM (#14889231)
    Mod parent down. What a disgusting display of arrogance and elitism. You're the one who shouldn't be here, regardless of how low your UID is.

    "If you do not know what GPG is, you're not a nerd - and you're on the wrong site."

      I think about 98% of the science department at any college would tell you exactly what a fucking idiot you are for making such a broadly stupid statement. Are you seriously so deluded that you think the only type of nerd is a computer nerd? And that all computer nerds have heard of this one specific release of a technology rarely used even in business environments? The majority of nerds and geeks don't know what GPG is. People like you and me are the minority, fucking get over it, and get over yourself.

    "Seriously: Go away."

    Fuck you, you go away. I'd take a complete know-nothing over an arrogant asshole anyday. People like you detract from the value of this site. No one gives a shit you've been here since the 90's. Why don't you go have a plaque made to hang up on your bedrooom wall to show how cool you are? Do you put your slashdot UID on resumes as an acheivement?

    "Rude is to be at a site where you obviously do not belong - irritating the people who has frequented the site since the 90s."

      Rude is to act like you are the sole arbitrator of who should and should not be allowed to voice their opinion on an open forum, like you're the fucking gestapo or something. Given the recent history of postings The GP [slashdot.org] has, in the eyes of the users of this site, a better quality of contribution than You [slashdot.org].

      Based on your attitude I can only assume you are a sad, pathetic man, with delusions of some sort of elevated importance via seniority. I, as well as the majority of slashdotter welcome ANYONE who is interested in science, technology, gaming, or any of the various subjects that slashdot covers, including politics, regardless of their ignorance of a certain subject or technology. You're nothing but an eSnob.

  • by Anonymous Coward on Friday March 10, 2006 @11:54AM (#14890915)
    Dear Alice,
                            Have you heard? GPG has a bug in it that lets people append data to a signed email message! What are we going to do to stop Malory from attacking us?

    Sincerely,
    Bob

    PS. Jus7 k!dd!ng! 1ts n0t 7ru3! I'm t@lk!ng thr0ugh my @$$!! LOLOLOLOLOL

Computers will not be perfected until they can compute how much more than the estimate the job will cost.

Working...