Debian Security Advisory
gnupg -- incorrect signature verification
- Date Reported:
- 11 Nov 2000
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0974.
- More information:
The version of gnupg that was distributed in Debian GNU/Linux 2.2 had
a logic error in the code that checks for valid signatures which could
cause false positive results: Jim Small discovered that if the input
contained multiple signed sections the exit-code gnupg returned was
only valid for the last section, so improperly signed other sections
were not noticed.
This has been fixed in version 1.0.4-1 and we recommend that you upgrade your gnupg package to that version. Please note that this version of gnupg includes the RSA code directly instead of relying on the gpg-rsa package. This means that the
"load-extension rsa"command in
~/.gnupg/optionsis no longer needed and must be removed: gnupg will not work correctly if it tries to load an extension that is not present.
- Fixed in:
Debian GNU/Linux 2.2 (potato)
- Intel IA-32:
- Motorola 680x0:
- Sun SPARC: