Main Menu

Login



Support Virus.Org

Help support Virus.Org by donating.
Donating allows us to keep this site free and pay the running costs of all our services.
GnuPG Unsigned Data Injection Hole PDF Print E-mail
Written by Editor   
Monday, 13 March 2006 14:31
It seems that the popular public key crypto application GnuPG has suffered a little problem with the handling of signed information in non-detached signatures. It seems that signature verification of non-detached signatures may give a false positive result when handling theses signatures. Also when extracting the signed data it may be prepended or appended with extra data that was not covered by the signature. Thus allowing an attacker to create signed data that would allow the injection of arbitrary data.

This method of using non-detached signatures is commonly used in email messages. However verification of detached signatures (i.e. a separate signature file) are not affected by this bug.

It is highly recommended that users of GnuPG upgrade their versions of GnuPG as soon as possible.

Add this page to your favorite Social Bookmarking websites
Digg! Reddit! Del.icio.us! Google! Live! Facebook! Technorati! StumbleUpon! Yahoo!
Last Updated ( Thursday, 14 September 2006 22:03 )