mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-06 12:33:23 +01:00
212 lines
7.5 KiB
Plaintext
212 lines
7.5 KiB
Plaintext
|
GnuPG does not detect injection of unsigned data
|
||
|
================================================
|
||
|
(released 2006-03-09, CVE-2006-0049)
|
||
|
|
||
|
|
||
|
Summary
|
||
|
=======
|
||
|
|
||
|
In the aftermath of the false positive signature verfication bug
|
||
|
(announced 2006-02-15) more thorough testing of the fix has been done
|
||
|
and another vulnerability has been detected.
|
||
|
|
||
|
This new problem affects the use of *gpg* for verification of
|
||
|
signatures which are _not_ detached signatures. The problem also
|
||
|
affects verification of signatures embedded in encrypted messages;
|
||
|
i.e. standard use of gpg for mails.
|
||
|
|
||
|
To solve this problem, an update of the current stable version has
|
||
|
been released (see below).
|
||
|
|
||
|
Please do not respond to this message. The mailing list gnupg-devel
|
||
|
is the best place to discuss this problem (please subscribe first so
|
||
|
you don't need moderator approval [1]).
|
||
|
|
||
|
|
||
|
Impact:
|
||
|
=======
|
||
|
|
||
|
Signature verification of non-detached signatures may give a positive
|
||
|
result but when extracting the signed data, this data may be prepended
|
||
|
or appended with extra data not covered by the signature. Thus it is
|
||
|
possible for an attacker to take any signed message and inject extra
|
||
|
arbitrary data.
|
||
|
|
||
|
Detached signatures (a separate signature file) are not affected.
|
||
|
|
||
|
All versions of gnupg prior to 1.4.2.2 are affected.
|
||
|
|
||
|
Scripts and applications using gpg to verify the integrity of data are
|
||
|
affected. This includes applications using the GPGME library[2].
|
||
|
|
||
|
The GnuPG version 1.9.x is not affected unless the currently
|
||
|
deprecated gpg part has been enabled.
|
||
|
|
||
|
|
||
|
Solution:
|
||
|
=========
|
||
|
|
||
|
Update GnuPG as soon as possible to version 1.4.2.2. There are no
|
||
|
fixes for older versions available.
|
||
|
|
||
|
If you can't get an update from your vendor, please follow the
|
||
|
instructions found at http://www.gnupg.org/download/ or read on:
|
||
|
|
||
|
GnuPG 1.4.2.2 may be downloaded from one of the GnuPG mirror sites or
|
||
|
direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be
|
||
|
found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not
|
||
|
available at ftp.gnu.org.
|
||
|
|
||
|
On the mirrors you should find the following files in the *gnupg*
|
||
|
directory:
|
||
|
|
||
|
gnupg-1.4.2.2.tar.bz2 (2.8M)
|
||
|
gnupg-1.4.2.2.tar.bz2.sig
|
||
|
|
||
|
GnuPG source compressed using BZIP2 and OpenPGP signature.
|
||
|
|
||
|
gnupg-1.4.2.2.tar.gz (4.0M)
|
||
|
gnupg-1.4.2.2.tar.gz.sig
|
||
|
|
||
|
GnuPG source compressed using GZIP and OpenPGP signature.
|
||
|
|
||
|
gnupg-1.4.2.1-1.4.2.2.diff.bz2 (101k)
|
||
|
|
||
|
A patch file to upgrade a 1.4.2.1 GnuPG source.
|
||
|
|
||
|
Select one of them. To shorten the download time, you probably want to
|
||
|
get the BZIP2 compressed file. Please try another mirror if
|
||
|
exceptional your mirror is not yet up to date.
|
||
|
|
||
|
In the *binary* directory, you should find these files:
|
||
|
|
||
|
gnupg-w32cli-1.4.2.2.exe (1.4M)
|
||
|
gnupg-w32cli-1.4.2.2.exe.sig
|
||
|
|
||
|
GnuPG compiled for Microsoft Windows and OpenPGP signature.
|
||
|
Note that this is a command line version and now comes with a
|
||
|
graphical installer tool. The source files are the same as
|
||
|
given above. Note, that a new version of the Gpg4Win
|
||
|
package[3], including a fixed version of GnuPG has also been
|
||
|
released today.
|
||
|
|
||
|
|
||
|
In order to check that the version of GnuPG which you are going to
|
||
|
install is an original and unmodified one, you can do it in one of
|
||
|
the following ways:
|
||
|
|
||
|
* If you already have a trusted version of GnuPG installed, you can
|
||
|
simply check the supplied signature. Due to the fact that detached
|
||
|
signatures are used, the problem described here does not affect
|
||
|
this verification. For example to check the signature of the file
|
||
|
gnupg-1.4.2.2.tar.bz2 you would use this command:
|
||
|
|
||
|
gpg --verify gnupg-1.4.2.2.tar.bz2.sig
|
||
|
|
||
|
This checks whether the signature file matches the source file.
|
||
|
You should see a message indicating that the signature is good and
|
||
|
made by that signing key. Make sure that you have the right key,
|
||
|
either by checking the fingerprint of that key with other sources
|
||
|
or by checking that the key has been signed by a trustworthy other
|
||
|
key. Note, that you can retrieve the signing key using "finger wk
|
||
|
'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the
|
||
|
keyservers. From time to time I prolong the expiration date; thus
|
||
|
you might need a fresh copy of that key.
|
||
|
|
||
|
Never use a GnuPG version you just downloaded to check the
|
||
|
integrity of the source - use an existing GnuPG installation!
|
||
|
Watch out for a "Good signature" messages.
|
||
|
|
||
|
* If you are not able to use an old version of GnuPG, you have to
|
||
|
verify the SHA-1 checksum. Assuming you downloaded the file
|
||
|
gnupg-1.4.2.1.tar.bz2, you would run the sha1sum command like this:
|
||
|
|
||
|
sha1sum gnupg-1.4.2.2.tar.bz2
|
||
|
|
||
|
and check that the output matches the first line from the
|
||
|
following list:
|
||
|
|
||
|
f5559ddb004e0638f6bd9efe2bac00134c5065ba gnupg-1.4.2.2.tar.bz2
|
||
|
959540c1c6158e09d668ceee055bf366dc26d0bd gnupg-1.4.2.2.tar.gz
|
||
|
880b3e937f232b1ca366bda37c4a959aacbd84f3 gnupg-1.4.2.1-1.4.2.2.diff.bz2
|
||
|
95dd7fd4c49423b86704acfc396ce5a53c8b19e7 gnupg-w32cli-1.4.2.2.exe
|
||
|
|
||
|
|
||
|
|
||
|
Background:
|
||
|
===========
|
||
|
|
||
|
OpenPGP messages are made up of packets. The signed data is a packet,
|
||
|
the actual signature is a packet and there are several control packets
|
||
|
as well. For example:
|
||
|
|
||
|
O + D + S
|
||
|
|
||
|
This describes a standard signed message made made up of a control
|
||
|
packet (O for one-pass signature packet), the actual signed data (D)
|
||
|
and the actual signature packet (S). gpg checks that the signature S
|
||
|
is valid over the data D. This is actually easy if not OpenPGP and
|
||
|
GnuPG would have a long tradition of changing the fromats. PGP 2
|
||
|
versions used a different way of composing these packets:
|
||
|
|
||
|
S + D
|
||
|
|
||
|
and early versions of gpg, released before RFC2440, even created
|
||
|
|
||
|
D + S
|
||
|
|
||
|
i.e. without the one-pass packet. Still this would all be easy to
|
||
|
process properly but in an ill-advised attempt to make things easier,
|
||
|
gpg allowed the processing of multiple signatures per file, like
|
||
|
|
||
|
O1 + D1 + S1 + O2 + D2 + S2
|
||
|
|
||
|
where two standard signatures are concatenated. Now when combining
|
||
|
this with the other variants of signatures, things get really messy
|
||
|
and it is not always possible to assocciate the signature (S) with the
|
||
|
signed data (D). gpg checked that this all works but unfortunately
|
||
|
these checks are not sufficient enough. The attack is to change a
|
||
|
standard message to inject faked data (F). A simple case is this:
|
||
|
|
||
|
F + O + D + S
|
||
|
|
||
|
gpg now happily skips F for verification and does a proper signature
|
||
|
verification of D and if this succeeds, prints a positive result.
|
||
|
However when asked to output the actual signed data it will output the
|
||
|
concatenation of F + D and thus create the impression that both are
|
||
|
covered by the signature. Depending on how gpg is invoked (in a
|
||
|
pipeline or using --output) it may even output just F and not at all
|
||
|
D. There are several variants of the attack in where to put the faked
|
||
|
data.
|
||
|
|
||
|
The only correct solution to this problem is to get rid of the feature
|
||
|
to check concatenated signatures - this allows for strict checking of
|
||
|
valid packet composition. This is what has been done in 1.4.2.2 and
|
||
|
in the forthcoming 1.4.3rc2. These versions accept signatures only if
|
||
|
they are composed of
|
||
|
|
||
|
O + D + S
|
||
|
S + D
|
||
|
|
||
|
Cleartext signatures are of course also supported, they are similiar
|
||
|
to the O+D+S case.
|
||
|
|
||
|
The actual checking for valid signature packet composition is done at
|
||
|
g10/mainproc.c, at the top of check_sig_and_print().
|
||
|
|
||
|
|
||
|
Thanks
|
||
|
======
|
||
|
|
||
|
Tavis Ormandy again poked on gpg and found this vulnerability.
|
||
|
|
||
|
The new version has been released yesterday and should by now be
|
||
|
available on all mirrors.
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
[1] http://lists.gnupg.org/mailman/listinfo/gnupg-devel
|
||
|
[2] http://www.gnupg.org/related_software/gpgme
|
||
|
[3] http://www.gpg4win.org
|