From sup-info@LOCUTUS4.CALDERASYSTEMS.COM Fri Oct 20 08:18:31 2000 From: Caldera Support Info To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 19 Oct 2000 11:14:17 -0600 Subject: [BUGTRAQ] Security Update: verification bug in gnupg -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: verification bug in gnupg Advisory number: CSSA-2000-038.0 Issue date: 2000 October, 18 Cross reference: ______________________________________________________________________________ 1. Problem Description There is a bug in the signature verification of GNUpg, the GNU replacement for PGP. Normally, signature verification with gnupg works as expected; gnupg properly detects when digitally signed data has been tampered with. However, these checks do not work properly if there are several sections with inline signatures within a single file. In this case, GNUpg does not always detect when some of the signed portions have been modified, and incorrectly claims that all signatures are valid. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 not vulnerable OpenLinux eServer 2.3 not vulnerable and OpenLinux eBuilder OpenLinux eDesktop 2.4 All packages previous to gnupg-1.0.4-2 3. Solution Workaround: None 4. OpenLinux Desktop 2.3 not vulnerable 5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0 not vulnerable 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification 3892693d729a46acc587dcece5a59f7c RPMS/gnupg-1.0.4-2.i386.rpm 407234b6c1381ed0e4e22ae99b88ba3f SRPMS/gnupg-1.0.4-2.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fhv gnupg-1.0.4-2.i386.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Report 7996. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 9. Acknowledgements Caldera Systems wishes to thank Werner Koch, the author of GNUpg, for his work, and cooperation. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE57v3U18sy83A/qfwRAoQNAJ9FqaDcp6LBSrE/Gf4ptHZQLx776ACeIkXZ nNgMWmAfY/3rbLWwRJPmjwo= =qgtb -----END PGP SIGNATURE-----