|
Home > Archive > Anonymous Servers > December 2006 > GnuPG bug
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Anonyma 2006-12-08, 7:15 am |
| I'm hoping everyone has been made aware of the very serious bug found
in GnuPG which might allow a remote attacker to execute code with user
permissions by sending specially crafted (encrypted OR signed) data.
This is bad news for anyone who automatically verifies signed emails
for example, and absolutely horrible news for anyone who might be
doing something like GnuPG verifying scheduled package updates as
root. :-(
It's important that 1.x branch users upgrade to 1.4.6 immediately, and
2.x branch users either apply the distributed 2.0.1 patch and
recompile, or update to the latest development (2.0.2-svnxxxx) version.
Know that gpg and gpgv are both vulnerable but gpg-agent, gpgsm, etc.,
are not. So it's safe to run the latest 2.0.1 release version of agent
and the smart card daemon/utilities along side an updated 1.4.6 "main"
installation. I know there's a lot of people doing exactly that.
Files and more info at www.gnupg.org of course....
| |
| Thomas J. Boschloo 2006-12-08, 7:13 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Anonyma wrote:
[snip]
> Files and more info at www.gnupg.org of course....
Man, don't you hate it when that happens? Like is wasn't easy enough to
get into a windows operated system anyhow (e.g. with signed microsoft
automatic updates).
Hope 1.4.6 lasts longer than 1.4.5 :-(
Thomas
- --
It is ironic, that ultimately, it is the politicians that push for the
use for lie detectors
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQB5AwUBRXnMDwEP2l8iXKAJAQH15gMfVKAwKY5R
dUdwFTNASPDN8Kc09vquTXq4
5uOOicoFBW3LdOwa784Xf+dG0/27ekDHAk34AtN879XJSmkjqwdFKBPR9C/9qBeR
8focNd90PD/+r7ii15etWJezlZNx87NoKLPPtw==
=9/Ow
-----END PGP SIGNATURE-----
| |
| Non scrivetemi 2006-12-09, 1:15 am |
| Thomas J. Boschloo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Anonyma wrote:
> [snip]
>
> Man, don't you hate it when that happens? Like is wasn't easy enough
> to get into a windows operated system anyhow (e.g. with signed
> microsoft automatic updates).
At least serious bugs in GnuPG get fixed in a timely manner rather
than hanging around for 2+ years after they've been publicly
disclosed. ;)
By the way this bug was spotted by a third party. A dandy example of
the Open Source paradigm in action.
>
> Hope 1.4.6 lasts longer than 1.4.5 :-(
Upgrades bug you do they?
You should try living on the bleeding SVN edge some time. ;)
|
|
|
|
|