On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
On Mar 6, Malte Gell <malte.gell@gmx.de> wrote:
Has there ever been evidene that someone made use of this terribly severe bug?
I don't think so. Luckily, fou4s [1] has not used the return value at all during the past 3 years. It used the text output of the gpg --verify command and was therefore immune to that problem.
Are you sure, the --verify command was not vulnerable? I thought only --status-fd gave the correct result...?
This also proofs that at least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think, and lately also suse.inode.at) no manipulated package were placed.
Why is this a matter of what mirror one choses? I thought it´s only a matter of how YOU or your fou4s checks the signatures? Malte