False positive signature verification in GnuPG ============================================== (released 2006-02-15) Summary ======= The Gentoo project identified a security related bug in GnuPG. When using any current version of GnuPG for unattended signature verification (e.g. by scripts and mail programs), false positive signature verification of detached signatures may occur. This problem affects the tool *gpgv*, as well as using "gpg --verify" to imitate gpgv, if only the exit code of the process is used to decide whether a detached signature is valid. This is a plausible mode of operation for gpgv. If, as suggested, the --status-fd generated output is used to decide whether a signature is valid, no problem exists. In particular applications making use of the GPGME library[2] are not affected. To solve this problem an update of the current stable version has been released (see below). Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). Impact: ======= Signature verification of detached signatures does not work, thus modified versions of signature protected files may not be detected. All versions of gnupg prior to 1.4.2.1 are affected if they are used in certain unattended operation modes. There is no problem using GnuPG in an interactive way because GnuPG won't print any signature status at all; i.e. no "Good signature". Scripts and applications using gpg or gpgv with the --status-fd option and properly parsing this output are not affected. Applications using the GPGME library[2] are not affected. The GnuPG versions 1.9 are not affected unless the currently deprecated gpg part has been enabled. Solution: ========= Update GnuPG as soon as possible to version 1.4.2.1. There are no fixes for older versions available, although the fix described below may be adjusted for them. To update please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.2.1 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.2.1.tar.bz2 (2.8M) gnupg-1.4.2.1.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.2.1.tar.gz (4.0M) gnupg-1.4.2.1.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.2-1.4.2.1.diff.bz2 (39k) A patch file to upgrade a 1.4.2 GnuPG source. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.2.1.exe (1.4M) gnupg-w32cli-1.4.2.1.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and now comes with a graphical installer tool. The source files are the same as given above. Note, that a new version of the Gpg4Win package[4], including an updated version of GnuPG will be available later the day. In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.2.1.tar.bz2 you would use this command: gpg --verify gnupg-1.4.2.1.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using "finger wk 'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the keyservers. From time to time I prolong the expiration date; thus you might need a fresh copy of that key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation! Watch out for a "Good signature" messages. * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.2.1.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.2.1.tar.bz2 and check that the output matches the first line from the following list: 1c0306ade25154743d6f6f9ac05bee74c55c6eda gnupg-1.4.2.1.tar.bz2 cefc74560f21bde74eed298d86460612cd7e12ee gnupg-1.4.2.1.tar.gz 98d597b1a9871b4aadc820d8641b36ce09125612 gnupg-1.4.2-1.4.2.1.diff.bz2 a4db35a72d72df8e76751adc6f013b4c96112fd4 gnupg-w32cli-1.4.2.1.exe Background: =========== If a file with arbitrary data, for example 64 times the character 0xCA, is used as the detached signature, any data file will lead to gpg exiting with 0 (success). There won't be any messages indicating that the signature is valid or false: $ fortune >x.txt $ perl -e 'print "\xca"x"64"' >x.txt.sig $ gpgv x.txt.sig x.txt $ echo $? 0 Cleary this should not return success. The same problem appears when using "gpg --verify" in place of gpgv. However in this case any application should to do further checks to make sure that the key verifying the signature is actually the desired one, thus using "gpg --verify" without processing the --status-fd generated output is in general the wrong approach. The fixed version makes sure that gpgv and "gpg --verify" won't return success if no signature has been seen. A minimal but sufficient fix against 1.4.2 and possible older versions is: ====8<============ --- g10/mainproc.c (revision 4001) +++ g10/mainproc.c (working copy) @@ -77,6 +77,7 @@ int op; int stop_now; } pipemode; + int any_sig_seen; /* Set to true if a signature packet has been seen. */ }; @@ -217,6 +218,7 @@ { KBNODE node; + c->any_sig_seen = 1; if( pkt->pkttype == PKT_SIGNATURE && !c->list ) { /* This is the first signature for the following datafile. * GPG does not write such packets; instead it always uses @@ -1137,6 +1139,18 @@ c->signed_data = signedfiles; c->sigfilename = sigfilename; rc = do_proc_packets( c, a ); + + /* If we have not encountered any signature we print an error + messages, send a NODATA status back and return an error code. + Using log_error is required because verify_files does not check + error codes for each file but we want to terminate the process + with an error. */ + if (!rc && !c->any_sig_seen) + { + write_status_text (STATUS_NODATA, "4"); + log_error (_("no signature found\n")); + rc = -1; + } m_free( c ); return rc; } ====>8============ Note that the released version also includes a test case for this bug and prints an additional diagnostic. With the patch above the output using the same test data as above should be: $ gpgv x.txt.sig x.txt gpgv: no signature found gpgv: verify signatures failed: eof $ echo $? 2 Thanks ====== taviso from the Gentoo project found this vulnerability and informed me on Monday evening. Unfortunately I had already switched off my monitor at that time. The update has been released yesterday evening (CET). [1] http://lists.gnupg.org/mailman/listinfo/gnupg-devel [2] http://www.gnupg.org/related_software/gpgme [3] http://www.gpg4win.org