FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

GnuPG does not detect injection of unsigned data

Affected packages
gnupg < 1.4.2.2

Details

VuXML ID 948921ad-afbc-11da-bad9-02e081235dab
Discovery 2006-03-09
Entry 2006-03-10
Modified 2006-03-11

Werner Koch reports:

In the aftermath of the false positive signature verfication bug (announced 2006-02-15) more thorough testing of the fix has been done and another vulnerability has been detected. This new problem affects the use of *gpg* for verification of signatures which are _not_ detached signatures. The problem also affects verification of signatures embedded in encrypted messages; i.e. standard use of gpg for mails.

[source]

References

CVE Name CVE-2006-0049
Message 87d5gvh2kr.fsf@wheatstone.g10code.de

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.