[Announce] GnuPG does not detect injection of unsigned data

Jan Luehr jluehr at gmx.net
Fri Mar 10 19:40:54 CET 2006


Hello,

Am Donnerstag, 9. März 2006 19:53 schrieb Werner Koch:

> Summary
> =======
>
> In the aftermath of the false positive signature verfication bug
> (announced 2006-02-15) more thorough testing of the fix has been done
> and another vulnerability has been detected.
>
> This new problem affects the use of *gpg* for verification of
> signatures which are _not_ detached signatures.  The problem also
> affects verification of signatures embedded in encrypted messages;
> i.e. standard use of gpg for mails.
>

well, this takes me to a difficult question:
How much more are to come? (Have you begun a code audit? How long will it take 
then?)
I haven't been following the gnupg development so far, but imho the recent 
development of actions rater is rather disturbing - and these kind of bugs 
tend to disqualify gnupg from mission critical use. 
Please don't get me wrong, I really like gnupg and  appreciate what you've 
done so far, but the recent development worries me.

Keep smiling
yanosz



More information about the Gnupg-users mailing list