ID CVE-2006-0455
Summary gpgv in GnuPG before 1.4.2.1, when using unattended signature verification, returns a 0 exit code in certain cases even when the detached signature file does not carry a signature, which could cause programs that use gpgv to assume that the signature verification has succeeded. Note: this also occurs when running the equivalent command "gpg --verify".
References
Vulnerable Configurations
  • GNU GNU Privacy Guard 1.0
    cpe:2.3:a:gnu:privacy_guard:1.0
  • GNU GNU Privacy Guard 1.0.1
    cpe:2.3:a:gnu:privacy_guard:1.0.1
  • GNU GNU Privacy Guard 1.0.2
    cpe:2.3:a:gnu:privacy_guard:1.0.2
  • GNU GNU Privacy Guard 1.0.3
    cpe:2.3:a:gnu:privacy_guard:1.0.3
  • cpe:2.3:a:gnu:privacy_guard:1.0.3b
    cpe:2.3:a:gnu:privacy_guard:1.0.3b
  • GNU GNU Privacy Guard 1.0.4
    cpe:2.3:a:gnu:privacy_guard:1.0.4
  • GNU GNU Privacy Guard 1.0.5
    cpe:2.3:a:gnu:privacy_guard:1.0.5
  • GNU GNU Privacy Guard 1.0.6
    cpe:2.3:a:gnu:privacy_guard:1.0.6
  • GNU GNU Privacy Guard 1.0.7
    cpe:2.3:a:gnu:privacy_guard:1.0.7
  • GNU GNU Privacy Guard 1.2
    cpe:2.3:a:gnu:privacy_guard:1.2
  • GNU GNU Privacy Guard 1.2.1
    cpe:2.3:a:gnu:privacy_guard:1.2.1
  • GNU GNU Privacy Guard 1.2.2
    cpe:2.3:a:gnu:privacy_guard:1.2.2
  • cpe:2.3:a:gnu:privacy_guard:1.2.2:rc1
    cpe:2.3:a:gnu:privacy_guard:1.2.2:rc1
  • GNU GNU Privacy Guard 1.2.3
    cpe:2.3:a:gnu:privacy_guard:1.2.3
  • GNU GNU Privacy Guard 1.2.4
    cpe:2.3:a:gnu:privacy_guard:1.2.4
  • GNU GNU Privacy Guard 1.2.5
    cpe:2.3:a:gnu:privacy_guard:1.2.5
  • GNU GNU Privacy Guard 1.2.6
    cpe:2.3:a:gnu:privacy_guard:1.2.6
  • GNU GNU Privacy Guard 1.2.7
    cpe:2.3:a:gnu:privacy_guard:1.2.7
  • GNU GNU Privacy Guard 1.3.3
    cpe:2.3:a:gnu:privacy_guard:1.3.3
  • GNU GNU Privacy Guard 1.3.4
    cpe:2.3:a:gnu:privacy_guard:1.3.4
  • GNU GNU Privacy Guard 1.4
    cpe:2.3:a:gnu:privacy_guard:1.4
  • GNU GNU Privacy Guard 1.4.1
    cpe:2.3:a:gnu:privacy_guard:1.4.1
  • GNU GNU Privacy Guard 1.4.2
    cpe:2.3:a:gnu:privacy_guard:1.4.2
CVSS
Base: 4.6 (as of 16-02-2006 - 10:40)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description GnuPG 1.x Detached Signature Verification Bypass Vulnerability. CVE-2006-0455. Local exploit for linux platform
id EDB-ID:27231
last seen 2016-02-03
modified 2006-02-15
published 2006-02-15
reporter taviso
source https://www.exploit-db.com/download/27231/
title GnuPG 1.x Detached Signature Verification Bypass Vulnerability
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2006-116.NASL
    description The GNU Privacy Guard provides encryption and signing for messages and arbitrary files, and implements the OpenPGP standard as described by IETF RFC2440. Version 1.4.2 of GnuPG would in some cases erroneously exit with status 0 (signaling no errors) if it was invoked to check a signature but found no signature to check. This should be corrected in version 1.4.2.1. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20937
    published 2006-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20937
    title Fedora Core 4 : gnupg-1.4.2.1-1 (2006-116)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-978.NASL
    description Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP replacement, verifies external signatures of files successfully even though they don't contain a signature at all.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 22844
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22844
    title Debian DSA-978-1 : gnupg - programming error
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-252-1.NASL
    description Tavis Ormandy discovered a potential weakness in the signature verification of gnupg. gpgv and gpg --verify returned a successful exit code even if the checked file did not have any signature at all. The recommended way of checking the result is to evaluate the status messages, but some third-party applications might just check the exit code for determining whether or not a signature is valid. These applications could be tricked into erroneously reporting a valid signature. Please note that this does not affect the Ubuntu package signature checks. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 21071
    published 2006-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21071
    title Ubuntu 4.10 / 5.04 / 5.10 : gnupg vulnerability (USN-252-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_63FE41899F9711DAAC320001020EED82.NASL
    description Werner Koch reports : The Gentoo project identified a security related bug in GnuPG. When using any current version of GnuPG for unattended signature verification (e.g. by scripts and mail programs), false positive signature verification of detached signatures may occur. This problem affects the tool *gpgv*, as well as using 'gpg --verify' to imitate gpgv, if only the exit code of the process is used to decide whether a detached signature is valid. This is a plausible mode of operation for gpgv. If, as suggested, the --status-fd generated output is used to decide whether a signature is valid, no problem exists. In particular applications making use of the GPGME library[2] are not affected.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 21442
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21442
    title FreeBSD : gnupg -- false positive signature verification (63fe4189-9f97-11da-ac32-0001020eed82)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0266.NASL
    description An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21990
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21990
    title CentOS 3 / 4 : gnu / gnupg (CESA-2006:0266)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0266.NASL
    description An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 21090
    published 2006-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21090
    title RHEL 2.1 / 3 / 4 : gnupg (RHSA-2006:0266)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-072-02.NASL
    description New GnuPG packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 21075
    published 2006-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21075
    title Slackware 10.0 / 10.1 / 10.2 / 9.0 / 9.1 / current : gnupg (SSA:2006-072-02)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200602-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-200602-10 (GnuPG: Incorrect signature verification) Tavis Ormandy of the Gentoo Linux Security Auditing Team discovered that automated systems relying on the return code of GnuPG or gpgv to authenticate digital signatures may be misled by malformed signatures. GnuPG documentation states that a return code of zero (0) indicates success, however gpg and gpgv may also return zero if no signature data was found in a detached signature file. Impact : An attacker may be able to bypass authentication in automated systems relying on the return code of gpg or gpgv to authenticate digital signatures. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 20938
    published 2006-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20938
    title GLSA-200602-10 : GnuPG: Incorrect signature verification
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-043.NASL
    description Tavis Ormandy discovered it is possible to make gpg incorrectly return success when verifying an invalid signature file. The updated packages have been patched to address this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20942
    published 2006-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20942
    title Mandrake Linux Security Advisory : gnupg (MDKSA-2006:043)
oval via4
accepted 2013-04-29T04:01:23.930-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description gpgv in GnuPG before 1.4.2.1, when using unattended signature verification, returns a 0 exit code in certain cases even when the detached signature file does not carry a signature, which could cause programs that use gpgv to assume that the signature verification has succeeded. Note: this also occurs when running the equivalent command "gpg --verify".
family unix
id oval:org.mitre.oval:def:10084
status accepted
submitted 2010-07-09T03:56:16-04:00
title gpgv in GnuPG before 1.4.2.1, when using unattended signature verification, returns a 0 exit code in certain cases even when the detached signature file does not carry a signature, which could cause programs that use gpgv to assume that the signature verification has succeeded. Note: this also occurs when running the equivalent command "gpg --verify".
version 23
redhat via4
advisories
bugzilla
id 184556
title CVE-2006-0049 Gnupg incorrect malformed message verification
oval
OR
  • AND
    comment Red Hat Enterprise Linux 3 is installed
    oval oval:com.redhat.rhsa:tst:20060015001
  • AND
    comment Red Hat Enterprise Linux 4 is installed
    oval oval:com.redhat.rhsa:tst:20060016001
rhsa
id RHSA-2006:0266
released 2006-03-15
severity Important
title RHSA-2006:0266: gnupg security update (Important)
refmap via4
bid 16663
bugtraq 20060215 False positive signature verification in GnuPG
debian DSA-978
fedora
  • FEDORA-2006-116
  • FLSA-2006:185355
gentoo GLSA-200602-10
mandriva MDKSA-2006:043
mlist
  • [gnupg-announce] 20060215 False positive signature verification in GnuPG
  • [gnupg-devel] 20060215 [Announce] False positive signature verification in GnuPG
openpkg OpenPKG-SA-2006.001
osvdb 23221
secunia
  • 18845
  • 18933
  • 18934
  • 18942
  • 18955
  • 18956
  • 18968
  • 19130
  • 19249
  • 19532
sgi 20060401-01-U
slackware SSA:2006-072-02
suse
  • SUSE-SA:2006:009
  • SUSE-SA:2006:013
  • SUSE-SR:2006:005
trustix 2006-0008
ubuntu USN-252-1
vupen ADV-2006-0610
xf gnupg-gpgv-improper-verification(24744)
Last major update 17-10-2016 - 23:38
Published 15-02-2006 - 17:06
Last modified 19-10-2018 - 11:44
Back to Top