ID CVE-2006-0049
Summary gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455.
References
Vulnerable Configurations
  • GNU GNU Privacy Guard 1.0
    cpe:2.3:a:gnu:privacy_guard:1.0
  • GNU GNU Privacy Guard 1.0.1
    cpe:2.3:a:gnu:privacy_guard:1.0.1
  • GNU GNU Privacy Guard 1.0.2
    cpe:2.3:a:gnu:privacy_guard:1.0.2
  • GNU GNU Privacy Guard 1.0.3
    cpe:2.3:a:gnu:privacy_guard:1.0.3
  • cpe:2.3:a:gnu:privacy_guard:1.0.3b
    cpe:2.3:a:gnu:privacy_guard:1.0.3b
  • GNU GNU Privacy Guard 1.0.4
    cpe:2.3:a:gnu:privacy_guard:1.0.4
  • GNU GNU Privacy Guard 1.0.5
    cpe:2.3:a:gnu:privacy_guard:1.0.5
  • GNU GNU Privacy Guard 1.0.6
    cpe:2.3:a:gnu:privacy_guard:1.0.6
  • GNU GNU Privacy Guard 1.0.7
    cpe:2.3:a:gnu:privacy_guard:1.0.7
  • GNU GNU Privacy Guard 1.2
    cpe:2.3:a:gnu:privacy_guard:1.2
  • GNU GNU Privacy Guard 1.2.1
    cpe:2.3:a:gnu:privacy_guard:1.2.1
  • GNU GNU Privacy Guard 1.2.2
    cpe:2.3:a:gnu:privacy_guard:1.2.2
  • cpe:2.3:a:gnu:privacy_guard:1.2.2:rc1
    cpe:2.3:a:gnu:privacy_guard:1.2.2:rc1
  • GNU GNU Privacy Guard 1.2.3
    cpe:2.3:a:gnu:privacy_guard:1.2.3
  • GNU GNU Privacy Guard 1.2.4
    cpe:2.3:a:gnu:privacy_guard:1.2.4
  • GNU GNU Privacy Guard 1.2.5
    cpe:2.3:a:gnu:privacy_guard:1.2.5
  • GNU GNU Privacy Guard 1.2.6
    cpe:2.3:a:gnu:privacy_guard:1.2.6
  • GNU GNU Privacy Guard 1.2.7
    cpe:2.3:a:gnu:privacy_guard:1.2.7
  • GNU GNU Privacy Guard 1.3.3
    cpe:2.3:a:gnu:privacy_guard:1.3.3
  • GNU GNU Privacy Guard 1.3.4
    cpe:2.3:a:gnu:privacy_guard:1.3.4
  • GNU GNU Privacy Guard 1.4
    cpe:2.3:a:gnu:privacy_guard:1.4
  • GNU GNU Privacy Guard 1.4.1
    cpe:2.3:a:gnu:privacy_guard:1.4.1
  • GNU GNU Privacy Guard 1.4.2
    cpe:2.3:a:gnu:privacy_guard:1.4.2
  • GNU GNU Privacy Guard 1.4.2.1
    cpe:2.3:a:gnu:privacy_guard:1.4.2.1
CVSS
Base: 5.0 (as of 14-03-2006 - 07:55)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_948921ADAFBC11DABAD902E081235DAB.NASL
    description Werner Koch reports : In the aftermath of the false positive signature verfication bug (announced 2006-02-15) more thorough testing of the fix has been done and another vulnerability has been detected. This new problem affects the use of *gpg* for verification of signatures which are _not_ detached signatures. The problem also affects verification of signatures embedded in encrypted messages; i.e. standard use of gpg for mails.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 21478
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21478
    title FreeBSD : GnuPG does not detect injection of unsigned data (948921ad-afbc-11da-bad9-02e081235dab)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200603-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-200603-08 (GnuPG: Incorrect signature verification) OpenPGP is the standard that defines the format of digital signatures supported by GnuPG. OpenPGP signatures consist of multiple sections, in a strictly defined order. Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that certain illegal signature formats could allow signed data to be modified without detection. GnuPG has previously attempted to be lenient when processing malformed or legacy signature formats, but this has now been found to be insecure. Impact : A remote attacker may be able to construct or modify a digitally-signed message, potentially allowing them to bypass authentication systems, or impersonate another user. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 21046
    published 2006-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21046
    title GLSA-200603-08 : GnuPG: Incorrect signature verification
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-993.NASL
    description Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP replacement, can be tricked to emit a 'good signature' status message when a valid signature is included which does not belong to the data packet. This update basically adds fixed packages for woody whose version turned out to be vulnerable as well.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22859
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22859
    title Debian DSA-993-2 : gnupg - programming error
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0266.NASL
    description An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21990
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21990
    title CentOS 3 / 4 : gnu / gnupg (CESA-2006:0266)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-055.NASL
    description Another vulnerability, different from that fixed in MDKSA-2006:043 (CVE-2006-0455), was discovered in gnupg in the handling of signature files. This vulnerability is corrected in gnupg 1.4.2.2 which is being provided with this update.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21098
    published 2006-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21098
    title Mandrake Linux Security Advisory : gnupg (MDKSA-2006:055)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0266.NASL
    description An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 21090
    published 2006-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21090
    title RHEL 2.1 / 3 / 4 : gnupg (RHSA-2006:0266)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-264-1.NASL
    description Tavis Ormandy discovered a flaw in gnupg's signature verification. In some cases, certain invalid signature formats could cause gpg to report a 'good signature' result for auxiliary unsigned data which was prepended or appended to the checked message part. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 21182
    published 2006-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21182
    title Ubuntu 4.10 / 5.04 / 5.10 : gnupg vulnerability (USN-264-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-072-02.NASL
    description New GnuPG packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 21075
    published 2006-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21075
    title Slackware 10.0 / 10.1 / 10.2 / 9.0 / 9.1 / current : gnupg (SSA:2006-072-02)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2006-147.NASL
    description Tavis Ormandy discovered a flaw in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to add unsigned text to a signed message in such a way so that when the signed text is extracted, the unsigned text is extracted as well, appearing as if it had been signed. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21076
    published 2006-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21076
    title Fedora Core 4 : gnupg-1.4.2.2-1 (2006-147)
oval via4
accepted 2013-04-29T04:01:04.449-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455.
family unix
id oval:org.mitre.oval:def:10063
status accepted
submitted 2010-07-09T03:56:16-04:00
title gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455.
version 24
redhat via4
advisories
rhsa
id RHSA-2006:0266
refmap via4
bid 17058
bugtraq 20060309 GnuPG does not detect injection of unsigned data
debian DSA-993
fedora
  • FEDORA-2006-147
  • FLSA-2006:185355
gentoo GLSA-200603-08
mandriva MDKSA-2006:055
mlist [gnupg-announce] 20060309 [Announce] GnuPG does not detect injection of unsigned data
osvdb 23790
sectrack 1015749
secunia
  • 19173
  • 19197
  • 19203
  • 19231
  • 19232
  • 19234
  • 19244
  • 19249
  • 19287
  • 19532
sgi 20060401-01-U
slackware SSA:2006-072-02
sreason
suse SUSE-SA:2006:014
trustix 2006-0014
ubuntu USN-264-1
vupen ADV-2006-0915
xf gnupg-nondetached-sig-verification(25184)
Last major update 07-03-2011 - 21:29
Published 13-03-2006 - 16:06
Last modified 19-10-2018 - 11:42
Back to Top