[Announce] GnuPG does not detect injection of unsigned data
Jan Luehr
jluehr at gmx.net
Fri Mar 10 19:40:54 CET 2006
Hello,
Am Donnerstag, 9. März 2006 19:53 schrieb Werner Koch:
> Summary
> =======
>
> In the aftermath of the false positive signature verfication bug
> (announced 2006-02-15) more thorough testing of the fix has been done
> and another vulnerability has been detected.
>
> This new problem affects the use of *gpg* for verification of
> signatures which are _not_ detached signatures. The problem also
> affects verification of signatures embedded in encrypted messages;
> i.e. standard use of gpg for mails.
>
well, this takes me to a difficult question:
How much more are to come? (Have you begun a code audit? How long will it take
then?)
I haven't been following the gnupg development so far, but imho the recent
development of actions rater is rather disturbing - and these kind of bugs
tend to disqualify gnupg from mission critical use.
Please don't get me wrong, I really like gnupg and appreciate what you've
done so far, but the recent development worries me.
Keep smiling
yanosz
More information about the Gnupg-users
mailing list