Bug#704613: cdebootstrap: signature verification bypass with manipulated InRelease file

Bastian Blank Wed, 03 Apr 2013 15:27:16 -0700

Control: clone -1 -2
Control: reassign -2 gnupg

On Wed, Apr 03, 2013 at 04:58:05PM +0200, Ansgar Burchardt wrote:
> So one can prepend a InRelease file looking like
> ----
> -----BEGIN PGP SIGNED MESSAGE----- NOT
> Hash: SHA1
> 
> <insert malicious Release file contents here>
> 
> -----BEGIN PGP SIGNATURE----- NOT
> ----


This is a bug in gnupg, this is clearly no valid file clearsign message
anymore, see RFC 4880, section 7.

Bastian

-- 
Death, when unnecessary, is a tragic thing.
                -- Flint, "Requiem for Methuselah", stardate 5843.7


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#704613: cdebootstrap: signature verification bypass with manipulated InRelease file

Reply via email to