• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

GnuPG Incorrect Non-Detached Signature Verification Vulnerability

GnuPG is prone to a vulnerability involving incorrect verification of non-detached signatures.

A successful attack can allow an attacker to simply take a signed message, inject arbitrary data into it, and bypass verification.

Note that this issue also affects verification of signatures embedded in encrypted messages. Scripts and applications using gpg are affected, as are applications using the GPGME library.

GnuPG versions prior to 1.4.2.2 are vulnerable to this issue.