GnuPG - Serious Flaw Discovered.

x942 · Aug 8, 2013

Huge Vulnerability in GPG
GPG is an open-source version of the PGP e-mail encryption protocol. Recently, a very serious vulnerability was discovered in the software: given a signed e-mail message, you can modify the message -- specifically, you can prepend or append arbitrary data -- without disturbing the signature verification.
Click to expand...

Source

Version 1.4.2.2 fixes this bug. The bug apparently effects all previous versions.

EDIT:

Through more research this may not be as big of a deal as I initially thought:

In other words, GPG looks at an email message and sees headers and the like. Of course, the headers were not signed (just the message), so GPG skips them and when it encounters the signed message, it begins to verify the signature.

So, if you are an attacker, you insert something before or after the signed message, and when GPG goes to verify it, the signed message passes, but GPG nicely prints out the whole message for you, instead of just the signed part. Oops, not a big deal, encryption isn't broken, in fact this is just an application
Click to expand...

Source

Hungry Man · Aug 8, 2013

This isn't really surprising. You can do the same thing with signed files. What you can't do is modify any of the signed content, but you can add a certain amount of data to it.

x942 · Aug 8, 2013

Hungry Man said:

This isn't really surprising. You can do the same thing with signed files. What you can't do is modify any of the signed content, but you can add a certain amount of data to it.
Click to expand...

Yup. I just added some more information to the OP. Apparently some plugins don't have this issue at all (they separate the unsigned portion from the signed portion. Only issue is basically that GPG display the unsigned data with the signed data. Could be confusing for users.

chrisretusn · Aug 9, 2013

Is this really a "huge" or "serious" flaw? What sort of data could be added and how would that impact the security of the signed content?

JackmanG · Aug 11, 2013

chrisretusn said:

Is this really a "huge" or "serious" flaw? What sort of data could be added and how would that impact the security of the signed content?
Click to expand...

It wouldn't. He made a mistake.

chrisretusn · Aug 11, 2013

Hmm... as I figured. It just seems to me a lot of "security" issues are overblown.

Log in or Sign up

GnuPG - Serious Flaw Discovered.

x942 Guest

Hungry Man Registered Member

x942 Guest

chrisretusn Registered Member

JackmanG Former Poster

chrisretusn Registered Member

Log in or Sign up

GnuPG - Serious Flaw Discovered.

x942 Guest

Hungry Man Registered Member

x942 Guest

chrisretusn Registered Member

JackmanG Former Poster

chrisretusn Registered Member

Useful Searches