5586977 2000-10-12 20:33 /121 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <13242> Ärende: GPG 1.0.3 doesn't detect modifications to files with multiple ------------------------------------------------------------ signatures From: Jim Small <cavenewt@MY-DEJA.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200010111930.MAA03505@mail14.bigmailbox.com> Attached is multiple copies of a file I had signed. Then I started modifying parts of the SIGNED message. To see if gpg could detect that the messages had been altered. It did not detect them, so long as the last signed message had not been altered. Save this message as newfile.asc and run gpg --verify newfile.asc -o /dev/null to see for yourself (the key it was signed with is available via keyservers) asdfasfasdfd -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just added by one stuff to thie message bogugfirst file encrypted with nobody dude on uinix box, send to nethole forpmail this is actually encrypted with a valid pgpg key imported form win95 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ= =siBR -----END PGP SIGNATURE----- middle stuff -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 another wrong first file encrypted with nobody dude on uinix box, send to nethole forpmail this is actually encrypted with a valid pgpg key imported form win95 another file -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE538hvZi9y1BQncn4RAolnAKCwEJTyPm6895ybQfk1D5IfeqJjmwCg4MlP 3NbvJocg5ksql40aOTZf0MY= =yBf2 -----END PGP SIGNATURE----- asfasfasf end stuff -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 first file encrypted with nobody dude on uinix box, send to nethole forpmail this is actually encrypted with a valid pgpg key imported form win95 bogud -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ= =siBR -----END PGP SIGNATURE----- stuff -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 first file encrypted with nobody dude on uinix box, send to nethole forpmail this is actually encrypted with a valid pgpg key imported form win95 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ= =siBR -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 first file encrypted with nobody dude on uinix box, send to nethole forpmail this is actually encrypted with a valid pgpg key imported form win95 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ= =siBR -----END PGP SIGNATURE----- gpg: Signature made Sat Oct 7 17:47:33 2000 PDT using DSA key ID 1427727E gpg: Good signature from "James F. Small, Jr. <smallj@nethole.com>" gpg: aka "Jim Small <smallj@pacbell.net>" gpg: aka "James F. Small, Jr. <smallj@saic.com>" gpg: aka "James F. Small, Jr. <smallj@small.cx>" gpg: Signature made Sat Oct 7 18:05:51 2000 PDT using DSA key ID 1427727E gpg: BAD signature from "James F. Small, Jr. <smallj@nethole.com>" gpg: Signature made Sat Oct 7 17:47:33 2000 PDT using DSA key ID 1427727E gpg: Good signature from "James F. Small, Jr. <smallj@nethole.com>" gpg: aka "Jim Small <smallj@pacbell.net>" gpg: aka "James F. Small, Jr. <smallj@saic.com>" gpg: aka "James F. Small, Jr. <smallj@small.cx>" gpg: Signature made Sat Oct 7 17:47:33 2000 PDT using DSA key ID 1427727E gpg: Good signature from "James F. Small, Jr. <smallj@nethole.com>" gpg: aka "Jim Small <smallj@pacbell.net>" gpg: aka "James F. Small, Jr. <smallj@saic.com>" gpg: aka "James F. Small, Jr. <smallj@small.cx>" gpg: Signature made Sat Oct 7 17:47:33 2000 PDT using DSA key ID 1427727E gpg: Good signature from "James F. Small, Jr. <smallj@nethole.com>" gpg: aka "Jim Small <smallj@pacbell.net>" gpg: aka "James F. Small, Jr. <smallj@saic.com>" gpg: aka "James F. Small, Jr. <smallj@small.cx>" ------------------------------------------------------------ --== Sent via Deja.com http://www.deja.com/ ==-- Before you buy. (5586977) ------------------------------------------(Ombruten) 5592647 2000-10-14 01:08 /62 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <13274> Kommentar till text 5586977 av Brevbäraren (som är implementerad i) Python Ärende: Re: GPG 1.0.3 doesn't detect modifications to files with multiple ------------------------------------------------------------ signatures From: Werner Koch <wk@GNUPG.ORG> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20001013184204.K6164@gnupg.de> Hi! Jim is right. There is a bug in all GnuPG versions up to 1.0.3: If you have more than one cleartext signature in a file (or pipe that to gpg), gpg does not compare each signature but flags each document as good or bad depending on the first document in the file. This is a very serious bug in gpg's verification function. I have made a snapshot version which corrects this bug available at: ftp://ftp.guug.de/gcrypt/devel/gnupg-1.0.3b.tar.gz (1681k) ftp://ftp.guug.de/gcrypt/devel/gnupg-1.0.3b.tar.gz.sig This version also comes with AES support but there are still the same problems with building on Solaris and HP/UX as in 1.0.3. We are currently working on large file support and the compilations problems. A regular release should be available in a few days. Some background: To check cleartext signatures, GnuPG uses the same dearmoring code as everywhere and this code works just like a filter which decoded the base-64 armor and feeds it into the normal processing. When it comes to cleartext signatures, the armor code fakes 2 packet: The first one is a so called one-pass packet, which tells the further processing stuff how the plaintext should be hashed and a literal data packet which contains the signed material. This way it is not easy to detect the cleartext signed part which is needed to reset the internal state of gpg. The new solution (which is something I should have done from the beginning) is to create a new control packet, which is taken out of the special private packet number space and use this to transfer the meta information about the cleartext signature to the verification engine. To avoid problems with control packets send to gpg over the normal input, the faked packets are now tagged with a random string during creation and the packet parser code accepts this control packet only when it contains this tag. This problem has been in GnuPG since the beginning but Jim's seems to be the first one who noiced that. We need better auditing folks! This bug is just one more prove that "given enough eyeballs all bugs are shallow" can not be held true when it comes to the security bugs; well, the bugs are probably found faster - but most times only be coincedence. BTW, I'd would have appreciated it if Jim had reported that bug through the usual GnuPG bug address or to the developers mailing list. To give us a day or so to analyze the thing and prepare a patch. Werner -- Werner Koch GnuPG key: 621CC013 OpenIT GmbH http://www.OpenIT.de (5592647) ------------------------------------------