[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Re: SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:013)

On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:

> On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
> > On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:
> > > Has there ever been evidene that
> > > someone made use of this terribly severe bug?
> > I don't think so. Luckily, fou4s [1] has not used the return value at
> > all during the past 3 years. It used the text output of the gpg
> > --verify command and was therefore immune to that problem. 
> Are you sure, the --verify command was not vulnerable? I thought only 
> --status-fd gave the correct result...?

The problem was in the return value of the --verify option. It was (I 
think) ALWAYS 0 (which means "OK"). But fou4s did not check the return 
type, it parsed the text output of this option (which was "ok" or "not 
ok", e.g. showing the real test result).

> > This also proofs that at least on the common mirrors (ftp.gwdg.de, 
> > sometimes ftp.leo.org I think, and lately also suse.inode.at) no 
> > manipulated package were placed.
> Why is this a matter of what mirror one choses? I thought it´s only a 
> matter of how YOU or your fou4s checks the signatures?

If I was running fou4s on a specific mirror and have not noticed any 
faulty packages, one could assume that this mirror was "clean".


__________________    /"\
Markus Gaugusch       \ /    ASCII Ribbon Campaign
markus(at)gaugusch.at  X     Against HTML Mail
                      / \
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here