FreeBSD : gnupg -- false positive signature verification (63fe4189-9f97-11da-ac32-0001020eed82)

medium Nessus Plugin ID 21442

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Werner Koch reports :

The Gentoo project identified a security related bug in GnuPG. When using any current version of GnuPG for unattended signature verification (e.g. by scripts and mail programs), false positive signature verification of detached signatures may occur.

This problem affects the tool *gpgv*, as well as using 'gpg --verify' to imitate gpgv, if only the exit code of the process is used to decide whether a detached signature is valid. This is a plausible mode of operation for gpgv.

If, as suggested, the --status-fd generated output is used to decide whether a signature is valid, no problem exists. In particular applications making use of the GPGME library[2] are not affected.

Solution

Update the affected package.

See Also

https://marc.info/?l=gnupg-devel&m=113999098729114

http://www.nessus.org/u?3082864d

Plugin Details

Severity: Medium

ID: 21442

File Name: freebsd_pkg_63fe41899f9711daac320001020eed82.nasl

Version: 1.14

Type: local

Published: 5/13/2006

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:gnupg, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2/17/2006

Vulnerability Publication Date: 2/15/2006

Reference Information

CVE: CVE-2006-0455