GnuPG Multiple Signed Message Modification Vulnerability

GnuPG is an open-source public/private key encryption system. There is a serious vulnerability in all versions of GnuPG below version 1.0.3b involving verifying the integrity of files with multiple signed messages. When verifying the integrity of these multiple-message files, GnuPG fails to verify each signature, rather flagging the document as either valid or invalid (integrity wise) based on the first message and signature. As a result, it is possible for an attacker to make modifications to signed messages within these files that will go unnoticed by GnuPG so long as the first signed message remains intact. More detailed technical information is available in Werner Koch's post to Bugtraq on the subject.


Privacy Statement
Copyright 2010, SecurityFocus