Every version of GnuTLS found to vulnerable to certification bypass.

David Shaw dshaw at jabberwocky.com
Wed Mar 5 07:21:07 CET 2014

On Mar 5, 2014, at 12:09 AM, NIIBE Yutaka <gniibe at fsij.org> wrote:

> I think that he just checked the dependencies.
> On my Debian box, it's:
>    gnupg2 -> libcurl3-gnutls -> libgnutls26
> So, it's related somehow.

GnuPG can use libcurl to talk to keyservers.  So if a particular libcurl is linked to gnutls it would be possible for there to be a keyserver rigged with a cert appearing to be a different keyserver.  Of course, if such a server returned an incorrect key, that key wouldn't have the proper fingerprint or verify in the web of trust.  Still, I could see if someone was doing the wrong thing and trusting a key merely because it came from a particular server they could get into trouble, but then they shouldn't have been doing that in the first place.  Which is not to minimize what is clearly a very serious bug - just that it doesn't affect the security of GnuPG directly.

> But I don't think it make sense to call all those software victims.



More information about the Gnupg-devel mailing list