SUSE Security Announcement: gpg signature checking problems (SUSE-SA:2006:014)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: gpg
Announcement ID: SUSE-SA:2006:014
Date: Fri, 10 Mar 2006 18:00:00 +0000
Affected Products: SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SuSE Linux Desktop 1.0
SuSE Linux Enterprise Server 8
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 9
SUSE Default Package: yes
Cross-References: CVE-2006-0049
Content of This Advisory:
1) Security Vulnerability Resolved:
gpg signature verification problem
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The GNU Privacy Guard (GPG) allows crafting a message which could
check out correct using "--verify", but would extract a different,
potentially malicious content when using "-o --batch".
The reason for this is that a .gpg or .asc file can contain multiple
plain text and signature streams and the handling of these streams was
only possible when correctly following the gpg state.
The gpg "--verify" option has been changed to be way more strict than
before and fail on files with multiple signatures/blocks to mitigate
the problem of doing the common --verify checks and -o extraction.
This problem could be used by an attacker to remotely execute code
by using handcrafted YaST Online Patch files put onto a compromised
YOU mirror server and waiting for the user to run YOU.
This problem is tracked by the Mitre CVE ID CVE-2006-0049.
This is a different issue than the gpg signature checking problem for
which we released updates a week ago, tracked by SUSE-SA:2006:013 /
CVE-2006-0455.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
None.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
.... gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team
" where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
....
Is the SuSE security team's public key broken on http://pgp.mit.edu? I went there, downloaded http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3D25D3D9 to (say for brevity) file.pubkey, and then ran gpg --import file.pubkey This returned with: gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Actually, I did all this twice, including downloading, with the same result each time. Using gpg2 yeilded the same. What's the deal? -- "This world ain't big enough for the both of us," said the big noema to the little noema.
On Sunday 12 March 2006 2:51 am, ken wrote:
Is the SuSE security team's public key broken on http://pgp.mit.edu?
No, just tried it, works fine.
I went there, downloaded http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3D25D3D9 to (say for brevity) file.pubkey, and then ran
gpg --import file.pubkey
This returned with:
gpg: no valid OpenPGP data found. gpg: Total number processed: 0
Actually, I did all this twice, including downloading, with the same result each time. Using gpg2 yeilded the same. What's the deal?
How are you 'downloading it'? I copied then pasted to kate and
saved it as test.key
gpg --import test.key
gpg: key 3D25D3D9: duplicated user ID detected - merged
gpg: key 3D25D3D9: "SuSE Security Team
Scott Leighton wrote:
....
I went there, downloaded http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3D25D3D9 to (say for brevity) file.pubkey, and then ran
gpg --import file.pubkey
This returned with:
gpg: no valid OpenPGP data found. gpg: Total number processed: 0
Actually, I did all this twice, including downloading, with the same result each time. Using gpg2 yeilded the same. What's the deal?
How are you 'downloading it'? I copied then pasted to kate and saved it as test.key
Using Firefox, brought up the page mentioned above, clicked on File > Save Page As, gave a directory and filename, and clicked OK. Nothing at all mysterious or unusual. After the first download I used vi to trim off the couple html lines above and below the key delimiters (even though I was almost sure it didn't matter-- gpg would find the delimiters). For the second download (after the first file wouldn't import) I left the little bit of html code in the file and got the same result. After the second failure I did a diff on the two files and the only difference was that aforementioned html code. Did you download the key from the page cited above? Or somewhere else?
gpg --import test.key gpg: key 3D25D3D9: duplicated user ID detected - merged gpg: key 3D25D3D9: "SuSE Security Team
" 49 new signatures Scott
-- "This world ain't big enough for the both of us," said the big noema to the little noema.
On Sunday 12 March 2006 8:28 am, ken wrote:
Using Firefox, brought up the page mentioned above, clicked on File > Save Page As, gave a directory and filename, and clicked OK. Nothing at all mysterious or unusual. After the first download I used vi to trim off the couple html lines above and below the key delimiters (even though I was almost sure it didn't matter-- gpg would find the delimiters). For the second download (after the first file wouldn't import) I left the little bit of html code in the file and got the same result.
After the second failure I did a diff on the two files and the only difference was that aforementioned html code.
Did you download the key from the page cited above? Or somewhere else?
I went straight to the url in your message, did a selection of the key then right clicked and did copy text (using Opera). Switched to kate and did an edit paste, saved the result as test.key and it imported just fine. Scott -- Non compos mentis POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.11-default x86_64 SuSE Linux 9.3 (x86-64)
Scott Leighton wrote:
On Sunday 12 March 2006 8:28 am, ken wrote:
Using Firefox, brought up the page mentioned above, clicked on File > Save Page As, gave a directory and filename, and clicked OK. Nothing at all mysterious or unusual. After the first download I used vi to trim off the couple html lines above and below the key delimiters (even though I was almost sure it didn't matter-- gpg would find the delimiters). For the second download (after the first file wouldn't import) I left the little bit of html code in the file and got the same result.
After the second failure I did a diff on the two files and the only difference was that aforementioned html code.
Did you download the key from the page cited above? Or somewhere else?
I went straight to the url in your message, did a selection of the key then right clicked and did copy text (using Opera). Switched to kate and did an edit paste, saved the result as test.key and it imported just fine.
Scott
Thanks, Scott. I just used a cut-n-paste to a gnome-terminal, ran "gpg --import ..." on it and it worked. This is the method I use most often, so I guess I'll stay with it. I didn't use it on this page earlier because cutting and pasting sometimes horks on big chunks of text... a limitation of the clipboard size, I'm told. So on to the next step. Thanks again. -- "This world ain't big enough for the both of us," said the big noema to the little noema.
participants (3)
-
ken
-
Marcus Meissner
-
Scott Leighton