is clearsigned text also vulnerable to recent injection of
unsigned data problem ?
David Shaw
dshaw at jabberwocky.com
Thu Mar 30 00:08:12 CEST 2006
On Wed, Mar 29, 2006 at 01:03:35PM -0800, phil wrote:
> Hi,
>
> A quick question regarding the recently discovered
> vulnerability to the injection of unsigned data :
>
> >From the description, it wasn't completely clear to me
> whether this vulnerability also applied to
> verification of clearsigned text. Does it?
It doesn't. Here's the story:
* It doesn't apply to signed software tarballs (detached signatures)
* It doesn't apply to PGP/MIME signed email messages (which are
detached signatures under the hood)
* It doesn't apply to clearsigned messages
* It might apply to sign+encrypted PGP/MIME messages and
sign+encrypted messages in general (though note your attacker in
this case may be the person who encrypted the message...)
* It might apply to unencrypted-but-binary-signed messages
(essentially signed+encrypted without the encryption - generally not
used much).
David
More information about the Gnupg-users
mailing list