control channel???

Tavis Ormandy taviso at
Sat Jan 13 20:40:55 CET 2007

"Robert J. Hansen" <rjh at> wrote:

> Tavis Ormandy wrote:
> > it doesnt buy an attacker any advantage if he can guess it.
> If so, it raises the question of why GnuPG bothers with any attempt at
> obfuscating it.

I havnt read any rationale, but I assume that a packet with the same id
could be generated by another implementation, and this is a safeguard
against interpreting that.

Andreas Metzler <ametzler at> wrote:

Thanks for the translation Andreas, I believe he has not discovered any
new attack against gpg and is just spreading FUD.

> Well, I could start telling you that values on the stack are very much
> not random and that PID and time are rather well guessable, too but
> the real message is this one: gnupg has got a "control channel" which
> is using in-band signalling and which could be used by an attacker to
> insert packets.

So his attack is inserting packets into the stream, allowing him to
insert packets into the stream. I fail to see the vulnerability :)

> That is all there is to say. I do not think this is
> fixable at all. Throw away, rewrite. 

This is a very sensationalist statement, he has not yet established any
attack against this code.

Thanks, Tavis.

taviso at | finger me for my pgp key.

More information about the Gnupg-devel mailing list