A pair of security bugs in cryptography software could allow an attacker to insert content into a digitally signed message or forge signatures on files.

The flaws lie in the open-source GNU Privacy Guard software, also known as GnuPG and GPG, the GnuPG group said in two alerts. The software, a free replacement for the Pretty Good Privacy cryptographic technology, ships with many open-source operating systems such as FreeBSD, OpenBSD and many Linux distributions.

The vulnerabilities could pose a threat to the value of digital signatures, Tavis Ormandy of the Gentoo Linux security team wrote in an e-mail interview on Friday. For example, a miscreant could add information to a security alert sent via e-mail or forge the digital signature on software updates, wrote Ormandy, who discovered both flaws.

This poses a risk to those who use the open-source cryptographic technology to authenticate e-mail communications or digitally sign files and, even more so, to the recipients of those messages and users of the files.

Linux and Unix distributors, for example, often use GPG digital signatures in their security advisories so customers can verify the announcement is authentic, Ormandy wrote. The signatures are also used in some software updates these companies put out to ensure nobody has tampered with data, he said.

"GnuPG is used in all sorts of ways to guarantee the authenticity of files and messages," Ormandy wrote. "Without the help of GPG, you can bet phony advisories with advice to download malicious files would be a daily occurrence."

Systems used to distribute software updates that rely on GPG will likely need fixing. "It is likely that many software update systems -- especially on Linux -- rely on GPG and will require an update to prevent anyone malicious tampering with software repositories," Ormandy wrote.

Fixes for the flaws are available from the GnuPG team. In addition, those who include the technology in their own products, such as Gentoo and Novell, have been pushing out updates for their products.

The most recent patch was released Thursday. It was discovered that it is possible to insert data into a digitally signed message, which the system would still verify as authentic, according to a GnuPG security advisory.

Ormandy discovered this latest flaw when further researching an earlier bug, for which a patch was released on Feb. 15. That earlier flaw could cause automated signature checkers on file downloads to consider a file safe, while the signature was forged, according to a Novell Suse Linux alert.

There have been no reports of attacks that exploit the vulnerabilities. However, users of the vulnerable software should install security updates soon to ensure they are protected.

Related links

Leave a comment

You must read and type the 6 chars within 0..9 and A..F

* indicates mandatory fields.

Log in


Sign up | Forgot your password?

Blogs

RSS feed

  • Staff XP stays on life support for longer

    This week's Roundup looks at Microsoft's decision to extend the life of Windows XP, the release of Microsoft Surface SDK, Firefox's new Geode plug-in, Yahoo's new tool -- Smush It and more. Read more »

    -- posted by Staff

  • Chris Duckett The good and truly awful celluloid depictions of computers

    Ever wonder why your lawyer uncle leaves the room whenever you turn over to Boston Legal? Or why your forensic science cousin can't stand crime drama? You know the answer: it’s the horrid trivialisation and dumbing down of an occupation to make it appear entertaining. Sometimes it is so unbelievable that it actually hurts and yelling at the screen is the only outlet. Read more »

    -- posted by Chris Duckett

  • Brendon Chase Apple's iPhone engineers to tour Sydney, Melbourne

    Aussie developers will be able to get up close and personal with some of the iPhone engineers in November to learn how to build applications for the platform. Read more »

    -- posted by Brendon Chase

What's on?