Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
Re: SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:013)
  • From: Malte Gell <malte.gell@xxxxxx>
  • Date: Mon, 6 Mar 2006 18:51:09 +0100
  • Message-id: <200603061851.10349.malte.gell@xxxxxx>
On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
> On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:

> > Has there ever been evidene that
> > someone made use of this terribly severe bug?

> I don't think so. Luckily, fou4s [1] has not used the return value at
> all during the past 3 years. It used the text output of the gpg
> --verify command and was therefore immune to that problem.

Are you sure, the --verify command was not vulnerable? I thought only
--status-fd gave the correct result...?

> This also
> proofs that at least on the common mirrors (ftp.gwdg.de, sometimes
> ftp.leo.org I think, and lately also suse.inode.at) no manipulated
> package were placed.

Why is this a matter of what mirror one choses? I thought it´s only a
matter of how YOU or your fou4s checks the signatures?

Malte

< Previous Next >