| blob | 16c08d422629004d0167ae1d35a5a3483c887f9a |
1 Multiple Messages Problem in GnuPG and GPGME
2 ==============================================
3 2007-03-05 [CVE-2007-1263]
6 Summary
7 =======
9 Gerardo Richarte from Core Security Technologies identified a problem
10 when using GnuPG in streaming mode.
12 The problem is actually a variant of a well known problem in the way
13 signed material is presented in a MUA. It is possible to insert
14 additional text before or after a signed (or signed and encrypted)
15 OpenPGP message and make the user believe that this additional text is
16 also covered by the signature. The Core Security advisory describes
17 several variants of the attack; they all boil down to the fact that it
18 might not be possible to identify which part of a message is actually
19 signed if gpg is not used correctly.
21 [ Please do not send private mail in response to this message. The
22 mailing list gnupg-devel is the best place to discuss this problem
23 (please subscribe first so you don't need moderator approval [1]). ]
26 Impact
27 ======
29 All applications using GnuPG without properly using the status
30 interface to verify signed or signed and encrypted messages.
32 All GPGME versions up to and including 1.1.3.
34 Starting with version 1.4.7 and 2.0.3, GnuPG implements an additional
35 and sufficient protection against this common usage problem.
37 Detached signatures are in no way affected by this problem.
40 Description
41 ===========
43 When using gpg (or gpg2) in a pipeline or with redirected input and
44 output additional data may be inserted into a message. This allows to
45 forge a signed message by prefixing it with arbitrary material. A way
46 to create such a message is:
48 echo "This is my sneaky plaintext message" > foobar.txt
49 gpg -z0 --output prefix.gpg --store foobar.txt
50 cat prefix.gpg original-signed-message.gpg > forged.gpg
52 Using gpg naively this results in:
54 $ gpg <forged.gpg
55 This is my sneaky plaintext message
56 Either I'm dead or my watch has stopped.
57 -- Groucho Marx's last words
58 gpg: Signature made Mon Feb 26 09:57:04 2007 CET using DSA key ID 68697734
59 gpg: Good signature from "Alfa Test (demo key) <alfa@example.net>"
60 [...]
62 and thus gives the impression that the sneaky message is part of the
63 signed Groucho quote. The correct way to use gpg with redirection is
64 by taking care of the status interface:
66 $ gpg --status-fd 1 <forged.gpg
67 [GNUPG:] PLAINTEXT 62 1172479053 foobar.txt
68 [GNUPG:] PLAINTEXT_LENGTH 36
69 This is my sneaky plaintext message
70 [GNUPG:] PLAINTEXT 62 1172480224 original-signed-message
71 [GNUPG:] PLAINTEXT_LENGTH 86
72 Either I'm dead or my watch has stopped.
73 -- Groucho Marx's last words
74 gpg: Signature made Mon Feb 26 09:57:04 2007 CET using DSA key ID 68697734
75 [GNUPG:] SIG_ID UncMPBJYgbG/uszJVNKoCAz+hvY 2007-02-26 1172480224
76 [GNUPG:] GOODSIG 2D727CC768697734 Alfa Test (demo key) <alfa@example.net>
77 gpg: Good signature from "Alfa Test (demo key) <alfa@example.net>"
78 [...]
80 Here the PLAINTEXT status lines clearly identify the start of a new
81 message.
83 Note, that using gpg on the command line is in almost all cases not
84 done with redirection but by letting gpg save the the signed message.
85 In this case gpg will save the message to different files or in case
86 the file names are identical, prompt the over to overwrite the first
87 one again.
89 Because the problem of identifying the actual signed content when
90 mixing the signed data and the signature is very common, the long
91 standing suggestion for all digital signatures is to use a detached
92 signature. A detached signature allows to clearly identify what is
93 signed and what is the signature. This is also the reason why
94 PGP/MIME signed messages are in general to be preferred over the old
95 style clear signed messages.
98 Solution
99 ========
101 Given that there are many applications in use which are subject to the
102 described problem, we have decided to change GnuPG so that such forged
103 OpenPGP messages are detected and the signature verification will
104 fail. GnuPG 1.4.7 has been released today and is available from the
105 usual places [2]. If you don't want to update, a minimal patch
106 against GnuPG 1.4.6 is available at
108 ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch
110 Many applications are using the library GPGME which implements an easy
111 way to process OpenPGP messages using gpg. We have updated GPGME to
112 make it immune against this problem even if an old version of gpg is
113 being used. GPGME 1.1.4 is available from the usual places [2]. A
114 patch (against version 1.1.3 or 1.1.2) is available at
116 ftp://ftp.gnupg.org/gcrypt/gpgme/patches/gpgme-1.1.3-multiple-message.patch
118 Please note that - after applying one of these patches - some
119 vulnerable applications (mainly MUAs) may fail to handle certain
120 messages which are composed of several OpenPGP messages. To continue
121 the support of such messages fixing the application is required as
122 there is no way for GnuPG to do it.
125 Support
126 =======
128 g10 Code GmbH [3], a Duesseldorf based company owned and headed by
129 GnuPG's principal author, is currently funding GnuPG development.
130 Support contracts or other financial backing will greatly help us to
131 improve the quality of GnuPG.
134 Thanks
135 ======
137 Gerardo Richarte found this problem. David Shaw greatly helped to
138 analyse and describe the core of the problem.
143 [1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel
144 [2] See http://www.gnupg.org/download/
145 [3] See http://www.gnupg.org/service.html