[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Re: SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:013)

On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
> On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:

> > Has there ever been evidene that
> > someone made use of this terribly severe bug?

> I don't think so. Luckily, fou4s [1] has not used the return value at
> all during the past 3 years. It used the text output of the gpg
> --verify command and was therefore immune to that problem. 

Are you sure, the --verify command was not vulnerable? I thought only 
--status-fd gave the correct result...?

> This also 
> proofs that at least on the common mirrors (ftp.gwdg.de, sometimes
> ftp.leo.org I think, and lately also suse.inode.at) no manipulated
> package were placed.

Why is this a matter of what mirror one choses? I thought it´s only a 
matter of how YOU or your fou4s checks the signatures?


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here