[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Re: SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:013)

On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:

> On Wednesday 01 March 2006 10:24, Marcus Meissner wrote:
> Hello,
> >         Package:                gpg,liby2util
> >         Announcement ID:        SUSE-SA:2006:013
> >         Date:                   Wed, 01 Mar 2006 11:00:00 +0000
> >         Affected Products:      SUSE LINUX 10.0
> the longer I think about this, the more this bug frightens me... For so 
> many years up to now it was possible to foist malicious code with 
> faulty gpg signatures... Has there ever been evidene that someone made 
> use of this terribly severe bug? 

I don't think so. Luckily, fou4s [1] has not used the return value at all 
during the past 3 years. It used the text output of the gpg --verify 
command and was therefore immune to that problem. This also proofs that at 
least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think, 
and lately also suse.inode.at) no manipulated package were placed.

Of course this is not guranteed for other mirrors, but maybe other fou4s 
users can give you some assurance there as well.

[1] http://fou4s.gaugusch.at

__________________    /"\
Markus Gaugusch       \ /    ASCII Ribbon Campaign
markus(at)gaugusch.at  X     Against HTML Mail
                      / \

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here