Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
Re: SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:013)
  • From: Markus Gaugusch <markus@xxxxxxxxxxx>
  • Date: Mon, 6 Mar 2006 18:19:49 +0100 (CET)
  • Message-id: <Pine.LNX.4.63.0603061814440.16087@xxxxxxxxxxxxxxxxxxx>
On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:

> On Wednesday 01 March 2006 10:24, Marcus Meissner wrote:
>
> Hello,
>
> > Package: gpg,liby2util
> > Announcement ID: SUSE-SA:2006:013
> > Date: Wed, 01 Mar 2006 11:00:00 +0000
> > Affected Products: SUSE LINUX 10.0
>
> the longer I think about this, the more this bug frightens me... For so
> many years up to now it was possible to foist malicious code with
> faulty gpg signatures... Has there ever been evidene that someone made
> use of this terribly severe bug?

I don't think so. Luckily, fou4s [1] has not used the return value at all
during the past 3 years. It used the text output of the gpg --verify
command and was therefore immune to that problem. This also proofs that at
least on the common mirrors (ftp.gwdg.de, sometimes ftp.leo.org I think,
and lately also suse.inode.at) no manipulated package were placed.

Of course this is not guranteed for other mirrors, but maybe other fou4s
users can give you some assurance there as well.

Markus
[1] http://fou4s.gaugusch.at

--
__________________ /"\
Markus Gaugusch \ / ASCII Ribbon Campaign
markus(at)gaugusch.at X Against HTML Mail
/ \

< Previous Next >
Follow Ups