USN-252-1: gnupg vulnerability
Posted on: 02/17/2006 04:22 PM

A new gnupg vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-252-1 February 17, 2006
gnupg vulnerability
CVE-2006-0455
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

gnupg

The problem can be corrected by upgrading the affected package to
version 1.2.4-4ubuntu2.2 (for ubuntu 4.10), 1.2.5-3ubuntu5.2 (for
Ubuntu 5.04), or 1.4.1-1ubuntu1.1 (for Ubuntu 5.10). In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Tavis Ormandy discovered a potential weakness in the signature
verification of gnupg. gpgv and gpg --verify returned a successful
exit code even if the checked file did not have any signature at all.
The recommended way of checking the result is to evaluate the status
messages, but some third party applications might just check the exit
code for determining whether or not a signature is valid. These
applications could be tricked into erroneously reporting a valid
signature.

Please note that this does not affect the Ubuntu package signature
checks.


Updated packages for Ubuntu 4.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2.diff.gz
Size/MD5: 57697 7859d87efb668c1ffb53859c17e7200a
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2.dsc
Size/MD5: 621 a601569ac7c80138bc56e9f9eb4fbecb
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4.orig.tar.gz
Size/MD5: 3451202 adfab529010ba55533c8e538c0b042a2

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2_amd64.deb
Size/MD5: 1722418 530e590811bd954b24ff06ca0a690050

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2_i386.deb
Size/MD5: 1667378 9456a90509b1c80c1723abd2bf2b9d07

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.2_powerpc.deb
Size/MD5: 1721708 f8bc943af454d4bcc6566340c6ef1a41

Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2.diff.gz
Size/MD5: 63903 154d68158685ee570446e0ea5bde2fd4
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2.dsc
Size/MD5: 654 3101b98dfda3da22b8c013ff557fd95a
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5.orig.tar.gz
Size/MD5: 3645308 9109ff94f7a502acd915a6e61d28d98a

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2_amd64.deb
Size/MD5: 805508 d370724a74d179da246fa48240f2907e
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.2_amd64.udeb
Size/MD5: 146278 5f2a57a83c42c4053c974a5c8dbfbd8f

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2_i386.deb
Size/MD5: 750320 da0f3f94a0f084a32be0bf1f17473a59
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.2_i386.udeb
Size/MD5: 121234 210e76177b3737275909d31d6eeb0cc5

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.2_powerpc.deb
Size/MD5: 806078 1d625d6235b1659f86acae0d8efbd3c4
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.2_powerpc.udeb
Size/MD5: 135284 7d46859278245aa9784d020d23ac1440

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1.diff.gz
Size/MD5: 18014 e0c82f178dd412ea54607ca9cd03624b
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1.dsc
Size/MD5: 684 c25b2397ca0e6af1201f840ba8e7e89b
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz
Size/MD5: 4059170 1cc77c6943baaa711222e954bbd785e5

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1_amd64.deb
Size/MD5: 1135890 fc1cab421bd3defb1587d8d49741cc61
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.1_amd64.udeb
Size/MD5: 152140 45911ed13c75e1320633487e001a2d57

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1_i386.deb
Size/MD5: 1043962 91336db0bac738815ac0d4de7094fdb0
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.1_i386.udeb
Size/MD5: 130578 49c6cbdf3aed81683a346d0eee7f457b

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.1_powerpc.deb
Size/MD5: 1119074 deea65c63af7e01c9675a2ff597ff3ba
http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.1_powerpc.udeb
Size/MD5: 140072 f147e53fb3beb6a19f362271d08d31e0

--RIYY1s2vRbPFwWeW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD9eeeDecnbV4Fd/IRAojpAJ9V6srb0trpFMzdX52ZxirO/nZ22wCghe4v
A/WCefpUc4WZyJCYVxgNT8o=
=NEeZ
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_252_1_gnupg_vulnerability.html)