Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
Re: SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:013)
  • From: Markus Gaugusch <markus@xxxxxxxxxxx>
  • Date: Mon, 6 Mar 2006 18:59:15 +0100 (CET)
  • Message-id: <Pine.LNX.4.63.0603061856460.16087@xxxxxxxxxxxxxxxxxxx>
On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:

> On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
> > On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:
>
> > > Has there ever been evidene that
> > > someone made use of this terribly severe bug?
>
> > I don't think so. Luckily, fou4s [1] has not used the return value at
> > all during the past 3 years. It used the text output of the gpg
> > --verify command and was therefore immune to that problem.
>
> Are you sure, the --verify command was not vulnerable? I thought only
> --status-fd gave the correct result...?

The problem was in the return value of the --verify option. It was (I
think) ALWAYS 0 (which means "OK"). But fou4s did not check the return
type, it parsed the text output of this option (which was "ok" or "not
ok", e.g. showing the real test result).

> > This also proofs that at least on the common mirrors (ftp.gwdg.de,
> > sometimes ftp.leo.org I think, and lately also suse.inode.at) no
> > manipulated package were placed.
>
> Why is this a matter of what mirror one choses? I thought it´s only a
> matter of how YOU or your fou4s checks the signatures?

If I was running fou4s on a specific mirror and have not noticed any
faulty packages, one could assume that this mirror was "clean".

Markus

--
__________________ /"\
Markus Gaugusch \ / ASCII Ribbon Campaign
markus(at)gaugusch.at X Against HTML Mail
/ \
< Previous Next >
Follow Ups