Your message dated Mon, 07 Oct 2013 19:18:32 +0000 with message-id <e1vtgk8-0003xc...@franck.debian.org> and subject line Bug#704645: fixed in gnupg 1.4.15-1 has caused the Debian Bug report #704645, regarding [gnupg/1486] gnupg: gpg --verify suggests entire file was verified, even if file contains auxiliary data to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 704645: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704645 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: cdebootstrap Version: 0.5.9 Severity: grave Tags: security Usertags: gpg-clearsign cdebootstrap can be tricked into unsigned data from an InRelease file. This makes the verification of the gpg signature useless. The particular bug here is in libdebian-installer (0.85)'s parser. It treats "-----BEGIN PGP SIGNED MESSAGE----- NOT" as a marker for the start of the signed data (which it obviously isn't). So one can prepend a InRelease file looking like ---- -----BEGIN PGP SIGNED MESSAGE----- NOT Hash: SHA1 <insert malicious Release file contents here> -----BEGIN PGP SIGNATURE----- NOT ---- to a valid InRelease file. gpgv will see the signature in the later part and report that there is no problem, but cdebootstrap will use the first part of the file. The easy workaround is to disable InRelease support which was already done for apt. Other options are splitting InRelease into Release and Release.gpg and verifying those OR using gpg to both extract the signed data and check the signature. Ansgar
--- End Message ---
--- Begin Message ---Source: gnupg Source-Version: 1.4.15-1 We believe that the bug you reported is fixed in the latest version of gnupg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 704...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated gnupg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 07 Oct 2013 20:05:43 +0200 Source: gnupg Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32 Architecture: source all amd64 Version: 1.4.15-1 Distribution: unstable Urgency: high Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: gnupg - GNU privacy guard - a free PGP replacement gnupg-curl - GNU privacy guard - a free PGP replacement (cURL) gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb) gpgv - GNU privacy guard - signature verification tool gpgv-udeb - minimal signature verification tool (udeb) gpgv-win32 - GNU privacy guard - signature verification tool (win32 build) Closes: 704645 725439 725718 Changes: gnupg (1.4.15-1) unstable; urgency=high . * New upstream release (closes: #725718). - Fixed possible denial of service in the compressed packet parser (CVE-2013-4402, closes: #725439). - Documents limitations of the verify command (closes: #704645). Checksums-Sha1: d536ab12e099940ffd931b1edfb895d3192b2fcc 1968 gnupg_1.4.15-1.dsc 2881c8174c15bb86ecf2e879cb7ca22c91fbcf93 5066798 gnupg_1.4.15.orig.tar.gz 2f96594111e8207df9eaa1f7ce0a2c0098a4abe7 27171 gnupg_1.4.15-1.debian.tar.gz 1abc6130329ae99ca15c6ca7287d57a5cb45392c 484870 gpgv-win32_1.4.15-1_all.deb 041fb1e2c57fb89c24164bfdfe35019deed968f8 1126378 gnupg_1.4.15-1_amd64.deb c9c73d27ea33e19c3cffec22886571d9dd8e7d28 60862 gnupg-curl_1.4.15-1_amd64.deb 238a0ea59cfd3fb6e0e26a6196016982120a6273 201008 gpgv_1.4.15-1_amd64.deb a68b3bde0c6f10416f7d257f83efa72f81d13bba 353970 gnupg-udeb_1.4.15-1_amd64.udeb 03d1a81355b4b7726cab858c532347a3602779e7 130072 gpgv-udeb_1.4.15-1_amd64.udeb Checksums-Sha256: 965dcc7d1840ab56962bf196024e388a1a55723adf3768c3e49ac1e885a5acc7 1968 gnupg_1.4.15-1.dsc 0b91e293e8566e5b841f280329b1e6fd773f7d3826844c69bec676124e0a0bb3 5066798 gnupg_1.4.15.orig.tar.gz e77d83f8cb062716ebbdf15fbfe0755afe70a8da8b0e81da37c4cd7de7edcf28 27171 gnupg_1.4.15-1.debian.tar.gz 780fe3073b4e2ca6bd5c1235a3f74521708d06973903f88e26cbed2b75df00d5 484870 gpgv-win32_1.4.15-1_all.deb ce3d0386cf39c66d3ec764236b91193dbf4c0a487b14268c156cc4c0455eee5c 1126378 gnupg_1.4.15-1_amd64.deb d9ed68c0e5a88d1905f7636289d96be0fec11d9237d1a8561d636a03613ee75c 60862 gnupg-curl_1.4.15-1_amd64.deb cb82d85ce9b4d341196cf722da1020f98aa7a3df141b044d0ae258dcaf6689ff 201008 gpgv_1.4.15-1_amd64.deb a7c0a2b3bc1587cb5e491a7e73e0c7fb5274c1d768f44d1b441304eb10cd8ce8 353970 gnupg-udeb_1.4.15-1_amd64.udeb 6009e419877c2e35572a6718823018e6be3169223cf055421b087b3fbbc63ef2 130072 gpgv-udeb_1.4.15-1_amd64.udeb Files: db50208f250e49dfd211beb744eae151 1968 utils important gnupg_1.4.15-1.dsc c04ba3eb68766c01ac26cabee1af1eac 5066798 utils important gnupg_1.4.15.orig.tar.gz 712ea647166f756c212f24270992725b 27171 utils important gnupg_1.4.15-1.debian.tar.gz 543b5e17f7f091b7a49d01ba18fd4a5d 484870 utils extra gpgv-win32_1.4.15-1_all.deb 38c6e43c32f4fcfb11d5235afc0f0983 1126378 utils important gnupg_1.4.15-1_amd64.deb f7372c39d19d3d48e9315d3ba849de81 60862 utils optional gnupg-curl_1.4.15-1_amd64.deb ae9ac8291fafd797dd7b7b5d22d9c0cc 201008 utils important gpgv_1.4.15-1_amd64.deb 7c256d3ae62e38f80719054cfc367085 353970 debian-installer extra gnupg-udeb_1.4.15-1_amd64.udeb 2afdaed5689c25f6b38eaab7203a54ed 130072 debian-installer extra gpgv-udeb_1.4.15-1_amd64.udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQEcBAEBAgAGBQJSUwSSAAoJEFb2GnlAHawEEdEIAIpGXUNdN5baUHLlg1Bs9F61 kQvAUUw3zdj7B8KNVzxlRZQApBS0H3uKtGyxKpKOXOwB3MQt9k+CdEvPLJJyEEjN ElOVVq4x7vWAk1hCPcC6cJuO0YeVEeMABA78Nuw/dYm6STHzFrcI8mxlWuteEUTT c4eaIEwopX2Y4PEvmcmC1bnB7OHvswfYKIgkb5Yzyq7LibHy1S13+wqIgXeVH/aS o9Dl+exv+RvMeq2K/abkxVpiwaUgJgW8Nij16vx8hUaq52Q4TasLlaFRPUYt91bI kycHYCuFtHO0PsjcSe/mIi/c4pnGvfIkGjtVhmqUuG7my5iGgLCUcquJ4WAmEwA= =AGKZ -----END PGP SIGNATURE-----
--- End Message ---
