On Mar 6, Malte Gell
On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
On Mar 6, Malte Gell
wrote: Has there ever been evidene that someone made use of this terribly severe bug?
I don't think so. Luckily, fou4s [1] has not used the return value at all during the past 3 years. It used the text output of the gpg --verify command and was therefore immune to that problem.
Are you sure, the --verify command was not vulnerable? I thought only --status-fd gave the correct result...?
The problem was in the return value of the --verify option. It was (I think) ALWAYS 0 (which means "OK"). But fou4s did not check the return type, it parsed the text output of this option (which was "ok" or "not ok", e.g. showing the real test result).
This also proofs that at least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think, and lately also suse.inode.at) no manipulated package were placed.
Why is this a matter of what mirror one choses? I thought it´s only a matter of how YOU or your fou4s checks the signatures?
If I was running fou4s on a specific mirror and have not noticed any faulty packages, one could assume that this mirror was "clean". Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \