SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:013)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: gpg,liby2util
Announcement ID: SUSE-SA:2006:013
Date: Wed, 01 Mar 2006 11:00:00 +0000
Affected Products: SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SuSE Linux Desktop 1.0
SuSE Linux Enterprise Server 8
SUSE LINUX Enterprise Server 9
UnitedLinux 1.0
Open Enterprise Server 1
Novell Linux Desktop 9
Vulnerability Type: remote code execution
Severity (1-10): 9
SUSE Default Package: yes
Cross-References: CVE-2006-0455, CVE-2006-0803
Content of This Advisory:
1) Security Vulnerability Resolved:
gpg signature checking problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This is a reissue of SUSE-SA:2006:009, after we found out that also
gpg version < 1.4.x are affected by the signature checking problem
of CVE-2006-0455.
With certain handcraft-able signatures GPG was returning a 0 (valid
signature) when used on command-line with option --verify.
This could make automated checkers, like for instance the patch file
verification checker of the YaST Online Update, pass malicious patch
files as correct and allow remote code execution.
This is tracked by the Mitre CVE ID CVE-2006-0455.
Also, the YaST Online Update script signature verification had used a
feature which was not meant to be used for signature verification,
making it possible to supply any kind of script which would be
considered correct. This would also allow code execution.
This issue is tracked by the Mitre CVE ID CVE-2006-0803.
Both attacks require an attacker either manipulating a YaST Online
Update mirror or manipulating the network traffic between the mirror
and your machine.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
None.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
On Wednesday 01 March 2006 10:24, Marcus Meissner wrote: Hello,
Package: gpg,liby2util Announcement ID: SUSE-SA:2006:013 Date: Wed, 01 Mar 2006 11:00:00 +0000 Affected Products: SUSE LINUX 10.0
the longer I think about this, the more this bug frightens me... For so many years up to now it was possible to foist malicious code with faulty gpg signatures... Has there ever been evidene that someone made use of this terribly severe bug? Regards Malte
On Mar 6, Malte Gell
On Wednesday 01 March 2006 10:24, Marcus Meissner wrote:
Hello,
Package: gpg,liby2util Announcement ID: SUSE-SA:2006:013 Date: Wed, 01 Mar 2006 11:00:00 +0000 Affected Products: SUSE LINUX 10.0
the longer I think about this, the more this bug frightens me... For so many years up to now it was possible to foist malicious code with faulty gpg signatures... Has there ever been evidene that someone made use of this terribly severe bug?
I don't think so. Luckily, fou4s [1] has not used the return value at all during the past 3 years. It used the text output of the gpg --verify command and was therefore immune to that problem. This also proofs that at least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think, and lately also suse.inode.at) no manipulated package were placed. Of course this is not guranteed for other mirrors, but maybe other fou4s users can give you some assurance there as well. Markus [1] http://fou4s.gaugusch.at -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
On Mar 6, Malte Gell
wrote:
Has there ever been evidene that someone made use of this terribly severe bug?
I don't think so. Luckily, fou4s [1] has not used the return value at all during the past 3 years. It used the text output of the gpg --verify command and was therefore immune to that problem.
Are you sure, the --verify command was not vulnerable? I thought only --status-fd gave the correct result...?
This also proofs that at least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think, and lately also suse.inode.at) no manipulated package were placed.
Why is this a matter of what mirror one choses? I thought it´s only a matter of how YOU or your fou4s checks the signatures? Malte
On Mar 6, Malte Gell
On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
On Mar 6, Malte Gell
wrote: Has there ever been evidene that someone made use of this terribly severe bug?
I don't think so. Luckily, fou4s [1] has not used the return value at all during the past 3 years. It used the text output of the gpg --verify command and was therefore immune to that problem.
Are you sure, the --verify command was not vulnerable? I thought only --status-fd gave the correct result...?
The problem was in the return value of the --verify option. It was (I think) ALWAYS 0 (which means "OK"). But fou4s did not check the return type, it parsed the text output of this option (which was "ok" or "not ok", e.g. showing the real test result).
This also proofs that at least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think, and lately also suse.inode.at) no manipulated package were placed.
Why is this a matter of what mirror one choses? I thought it´s only a matter of how YOU or your fou4s checks the signatures?
If I was running fou4s on a specific mirror and have not noticed any faulty packages, one could assume that this mirror was "clean". Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
On Monday 06 March 2006 18:59, Markus Gaugusch wrote:
On Mar 6, Malte Gell
wrote:
This also proofs that at least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think, and lately also suse.inode.at) no manipulated package were placed.
Why is this a matter of what mirror one choses? I thought it´s only a matter of how YOU or your fou4s checks the signatures?
If I was running fou4s on a specific mirror and have not noticed any faulty packages, one could assume that this mirror was "clean".
Of course... I forgot fou4s just uses the standard patch notifications provided by SUSE and so faulty packages would have been detected. Clever ;-) Malte
On Monday 06 March 2006 11:51 am, Malte Gell wrote:
Why is this a matter of what mirror one choses? I thought it´s only a matter of how YOU or your fou4s checks the signatures?
Malte
YOU doesn't check signatures. It is a security issue. Be very careful of the repositories you setup in YOU. I recommend only using YOU for SUSE provided updates. Use smart, apt/synaptic, etc for other updates such as KDE, GNOME, etc because they do some rpm signature checking. Stan
Why is this a matter of what mirror one choses? I thought it´s only a matter of how YOU or your fou4s checks the signatures?
Malte
YOU doesn't check signatures. It is a security issue. Be very careful of the
Why do you think YOU doesn't check signatures? I mean, besides the bug...?
repositories you setup in YOU. I recommend only using YOU for SUSE provided updates. Use smart, apt/synaptic, etc for other updates such as KDE, GNOME, etc because they do some rpm signature checking.
Stan
Roman.
On Tuesday 07 March 2006 02:00, Roman Drahtmueller wrote:
YOU doesn't check signatures. It is a security issue. Be very careful of the
Why do you think YOU doesn't check signatures? I mean, besides the bug...?
Maybe he talked about own, self set up repositories? I guess YOU can also be used e.g. internally in a LAN or at home to provide users with own stuff, can´t it? Is YOU capable to check own signatures as well in such situations? Malte
On Tuesday 07 March 2006 6:08 pm, Malte Gell wrote:
On Tuesday 07 March 2006 02:00, Roman Drahtmueller wrote:
YOU doesn't check signatures. It is a security issue. Be very careful of the
Why do you think YOU doesn't check signatures? I mean, besides the bug...?
Maybe he talked about own, self set up repositories? I guess YOU can also be used e.g. internally in a LAN or at home to provide users with own stuff, can´t it? Is YOU capable to check own signatures as well in such situations?
Malte
Apologies to all. I do not know what the heck I was talking about. Please forgive my bad post. Oldenhiemers disease most likely. Malte, you are too kind, thank you. I wish that was my excuse. Marcus, keep up the great work and thank you for calling me on my mistake. I wish I could say this was part of your annual review and you passed the test - politely asking a customer why they are being stupid - and the increase in salary will be reflected in your next 200 paychecks.!.!.! Sheesh... Stan
On Wednesday 08 March 2006 18:37, S Glasoe wrote:
On Tuesday 07 March 2006 6:08 pm, Malte Gell wrote:
Maybe he talked about own, self set up repositories? I guess YOU can also be used e.g. internally in a LAN or at home to provide users with own stuff, can´t it? Is YOU capable to check own signatures as well in such situations?
Apologies to all. I do not know what the heck I was talking about. Please forgive my bad post. Oldenhiemers disease most likely. Malte, you are too kind, thank you. I wish that was my excuse.
There´s no reason to apologize for anything. The question is interesting, using YOU for own, private repositories sounds pretty interesting and I´d be surprised if it wasn´t possible somehow ;-) Malte
On Mon, Mar 06, 2006 at 05:59:51PM +0100, Malte Gell wrote:
On Wednesday 01 March 2006 10:24, Marcus Meissner wrote:
Hello,
Package: gpg,liby2util Announcement ID: SUSE-SA:2006:013 Date: Wed, 01 Mar 2006 11:00:00 +0000 Affected Products: SUSE LINUX 10.0
the longer I think about this, the more this bug frightens me... For so many years up to now it was possible to foist malicious code with faulty gpg signatures... Has there ever been evidene that someone made use of this terribly severe bug?
We have no indication of this. Ciao, Marcus
participants (5)
-
Malte Gell
-
Marcus Meissner
-
Markus Gaugusch
-
Roman Drahtmueller
-
S Glasoe