GnuPG: remotely controllable function pointer [CVE-2006-6235]
Patrick Brunschwig
patrick at mozilla-enigmail.org
Sat Dec 9 15:58:48 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patrick Brunschwig wrote:
> Ludwig Hügelschäfer wrote:
>> Hi,
>
>> Malte Gell wrote on 08.12.2006 14:19 Uhr:
>
>>> Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed
>>> message... Maybe my gpg.conf is messed or is this due to changes in
>>> gpg
>>>> 1.4.5? Thanx.
>> Enigmail didn't even indicate a signed message :-((
>
> True yes. I have to find out why ...
Interesting ... I found that Werner's mails are PGP/MIME signed, with
micalg=sha1
However, according to RFC 3156, this is not valid, the parameter would
have to be as follows, and thus it's not recognized as valid by Enigmail:
micalg=pgp-sha1
Is there a new version of the RFC that I'm not aware of, or is it just a
bug of Werner's mail client? In general, is it a good idea to interpret
the RFC so strictly for this, or is it "better" to be a bit more relaxed?
- -Patrick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBRXrPJHcOpHodsOiwAQKWdQf6A16HoCGb1kNNAa31RGJK0J6mSxB61Khn
4A5Ko9wPUuAegznBToYT+b/ePlx5Cz7Zz2BKaQ1nKN9sxPRwEKWk8Fzjb1+9xb2A
gApqkCH2NubvDwj6iAxJkQTgahRLd/QGI7Km+2ltfKlgw8d4Kuo1HNTVN5HjuDAO
yzPCT9azZMA2NS0caXG/gkjf4NYLltMpXFFBNM046/MlmJ3IP3r8UHhUxbAU7Zu6
YSyx2n+l87NvvegO6VxSGiLsVDRoZW2i+pqBi9YC5l7WMZPhLPmT8kVfNjUrRDtU
K8dqdhsTwmfICyuyVWx3YT6/urW1/xjhKrrEDqn4PTAZLExRptJOTw==
=WSu2
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list