Hi!

It has been pointed out that there is another bug in the signature
verification code of GnuPG. 

         * This can easily lead to false positives *

All versions of GnuPG released before today are vulnerable!

To check a detached singature you normally do this:

  gpg --verify foo.sig foo.txt
  
The problem here is that someone may replace foo.sig with a standard
signature containing some arbitrary signed text and its signature,
and then modify foo.txt - GnuPG does not detect this - Ooops.

The solution for this problem ist not easy and needs a change in the
semantics of the --verify command: It will not any longer be
possible to do this:

  gpg --verify foo.sig <foo.txt
  
Instead you have to use this

  gpg --verify foo.sig - <foo.txt
  
The difference here is that gpg sees 2 files on the command lines
and thereby knows that it should check a detached signature.  We
really need this information and there is no way to avoid that
change, sorry.  You should make sure that you never use the first
form, because this will lead to false positives when foo.sig is not
a detached signature - gnupg does detect the other case and warns
you, but this is not sufficient.  If you use GnuPG from other
applications, please change it.

What to do:

  1. Apply the attached patch to GnuPG 1.0.4

  2. Check all programs which are designed to verify detached
     signatures, that they don't use the vulnerable way of passing
     data to GnuPG.

Currently we are reviewing some other minor bug fixes and
it might take some time to release a fixed version.  

I apologize for this bug and have to thank Rene Puls for finding it.


  Werner


p.s.
I'd really appreciate if some volunteers can write more regression
tests; especially those for bugs of this kind.
Apply the patch using "patch -p1" while in the top directory of the
GnuPG source.  The patch is against the 1.0.4 release.

--- gnupg-1.0.4/g10/mainproc.c	Mon Oct 16 19:12:30 2000
+++ gnupg-stable/g10/mainproc.c	Thu Nov 30 10:31:01 2000
@@ -1296,6 +1299,10 @@
 		return;
 	    }
 	}
+        else if ( c->signed_data ) {
+            log_error (_("not a detached signature\n") );
+            return;
+        }
 
 	for( n1 = node; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )); )
 	    check_sig_and_print( c, n1 );
@@ -1307,6 +1314,10 @@
             log_error("cleartext signature without data\n" );
             return;
         }
+        else if ( c->signed_data ) {
+            log_error (_("not a detached signature\n") );
+            return;
+        }
 	
 	for( n1 = node; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )); )
 	    check_sig_and_print( c, n1 );
@@ -1365,6 +1376,10 @@
 		return;
 	    }
 	}
+        else if ( c->signed_data ) {
+            log_error (_("not a detached signature\n") );
+            return;
+        }
 	else
 	    log_info(_("old style (PGP 2.x) signature\n"));
 
--- gnupg-1.0.4/g10/plaintext.c	Wed Jul 26 11:21:58 2000
+++ gnupg-stable/g10/plaintext.c	Thu Nov 30 11:03:03 2000
@@ -370,7 +370,7 @@
 		const char *sigfilename, int textmode )
 {
     IOBUF fp;
-    STRLIST sl=NULL;
+    STRLIST sl;
 
     if( !files ) {
 	/* check whether we can open the signed material */
@@ -380,28 +380,26 @@
 	    iobuf_close(fp);
 	    return 0;
 	}
-	/* no we can't (no sigfile) - read signed stuff from stdin */
-	add_to_strlist( &sl, "-");
+        log_error (_("no signed data\n"));
+        return G10ERR_OPEN_FILE;
     }
-    else
-	sl = files;
 
-    for( ; sl; sl = sl->next ) {
+
+    for (sl=files; sl; sl = sl->next ) {
 	fp = iobuf_open( sl->d );
 	if( !fp ) {
 	    log_error(_("can't open signed data `%s'\n"),
 						print_fname_stdin(sl->d));
-	    if( !files )
-		free_strlist(sl);
 	    return G10ERR_OPEN_FILE;
 	}
 	do_hash( md, md2, fp, textmode );
 	iobuf_close(fp);
     }
 
-    if( !files )
-	free_strlist(sl);
     return 0;
 }
+
+
+
 
 
--- gnupg-1.0.4/g10/openfile.c	Tue Sep  5 17:31:57 2000
+++ gnupg-stable/g10/openfile.c	Thu Nov 30 10:56:06 2000
@@ -257,7 +257,7 @@
 	    buf = m_strdup(iname);
 	    buf[len-4] = 0 ;
 	    a = iobuf_open( buf );
-	    if( opt.verbose )
+	    if( a && opt.verbose )
 		log_info(_("assuming signed data in `%s'\n"), buf );
 	    m_free(buf);
 	}
@@ -329,7 +329,7 @@
 
     if ( ( *defhome == '~'
            && ( strlen(fname) >= strlen (defhome+1)
-                && !strcmp(fname+strlen(defhome+1)-strlen(defhome+1),
+                && !strcmp(fname+strlen(fname)-strlen(defhome+1),
                            defhome+1 ) ))
          || ( *defhome != '~'
               && !compare_filenames( fname, defhome ) )
@@ -345,7 +345,3 @@
 	g10_exit(1);
     }
 }
-
-
-
-