On Sat, April 6, 2013 12:45, Thijs Kinkhorst wrote:
> I'm seeking input from GnuPG upstream for their view on this case.
I have forwarded the issue. Upstream acknowledges the issue but does not
seem prepared to change the behaviour of the --verify command.
As described in #705536, I do not think
Hi,
Same thing happened with debootstrap recently, see #703146
InRelease support was disabled because we can't get a proper cleartext
out of this file, and modifying gpgv to get it is too much work.
Regards,
--
Benjamin Cama
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
Processing commands for cont...@bugs.debian.org:
> retitle 704645 gpg --verify suggests entire file was verified, even if file
> contains auxiliary data
Bug #704645 [gnupg] cdebootstrap: signature verification bypass with
manipulated InRelease file
Changed Bug title to 'gpg --verify suggests ent
retitle 704645 gpg --verify suggests entire file was verified, even if file
contains auxiliary data
thanks
Hi,
After some discussion I've come to the following description of this request
(submitters, please correct or augment where necessary):
"gpg --verify " returns a binary answer: has a val
Processing control commands:
> unmerge -1
Bug #704613 [gnupg] cdebootstrap: signature verification bypass with
manipulated InRelease file
Bug #704645 [gnupg] cdebootstrap: signature verification bypass with
manipulated InRelease file
Disconnected #704613 from all other report(s).
> reassign -1 c
Control: unmerge -1
Control: reassign -1 cdebootstrap 0.5.9
Control: severity -1 grave
Bastian Blank writes:
> On Thu, Apr 04, 2013 at 12:24:26AM +0200, Bastian Blank wrote:
>> On Wed, Apr 03, 2013 at 04:58:05PM +0200, Ansgar Burchardt wrote:
>> > So one can prepend a InRelease file looking like
Processing control commands:
> reassign -1 gnupg
Bug #704613 [cdebootstrap] cdebootstrap: signature verification bypass with
manipulated InRelease file
Bug reassigned from package 'cdebootstrap' to 'gnupg'.
No longer marked as found in versions cdebootstrap/0.5.9.
Ignoring request to alter fixed
Control: reassign -1 gnupg
Control: forcemerge -1 704645
Control: severity -1 critical
On Thu, Apr 04, 2013 at 12:24:26AM +0200, Bastian Blank wrote:
> On Wed, Apr 03, 2013 at 04:58:05PM +0200, Ansgar Burchardt wrote:
> > So one can prepend a InRelease file looking like
> >
> > -BEGIN PGP
Processing control commands:
> clone -1 -2
Bug #704613 [cdebootstrap] cdebootstrap: signature verification bypass with
manipulated InRelease file
Bug 704613 cloned as bug 704645
> reassign -2 gnupg
Bug #704645 [cdebootstrap] cdebootstrap: signature verification bypass with
manipulated InRelease
Control: clone -1 -2
Control: reassign -2 gnupg
On Wed, Apr 03, 2013 at 04:58:05PM +0200, Ansgar Burchardt wrote:
> So one can prepend a InRelease file looking like
>
> -BEGIN PGP SIGNED MESSAGE- NOT
> Hash: SHA1
>
>
>
> -BEGIN PGP SIGNATURE- NOT
>
This is a bug in gn
Package: cdebootstrap
Version: 0.5.9
Severity: grave
Tags: security
Usertags: gpg-clearsign
cdebootstrap can be tricked into unsigned data from an InRelease file.
This makes the verification of the gpg signature useless.
The particular bug here is in libdebian-installer (0.85)'s parser. It
treats
11 matches
Mail list logo
