Package: gnupg
Version: 1.4.0-3
Severity: normal
Tags: security
Serge Mister and Robert Zuccherato have published a paper, which describes
an attack against the symmetric encryption as used in the OpenPGP standard.
It's not exploitable in regular gnupg operation with a human endpoint.
Full details are described at the announce mail at:
http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html
I've attached upstream's fix that circumvents the problem by disabling the
problematic bits of the OpenPGP standard.
Cheers,
Moritz
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
Versions of packages gnupg depends on:
ii libc6 2.3.2-9 GNU C Library: Shared libraries an
ii libldap2 2.1.30-3 OpenLDAP libraries
ii makedev 2.3.1-70.3.200407260828 Creates device files in /dev
ii zlib1g 1:1.2.2-4.15.200501191530 compression library - runtime
-- debconf-show failed
Index: include/cipher.h
===================================================================
RCS file: /cvs/gnupg/gnupg/include/cipher.h,v
retrieving revision 1.53.2.6
diff -u -r1.53.2.6 cipher.h
--- include/cipher.h 29 Nov 2004 21:07:43 -0000 1.53.2.6
+++ include/cipher.h 8 Feb 2005 04:12:12 -0000
@@ -76,6 +76,7 @@
int keylen;
int algo_info_printed;
int use_mdc;
+ int symmetric;
byte key[32]; /* this is the largest used keylen (256 bit) */
} DEK;
Index: g10/mainproc.c
===================================================================
RCS file: /cvs/gnupg/gnupg/g10/mainproc.c,v
retrieving revision 1.112.2.27
diff -u -r1.112.2.27 mainproc.c
--- g10/mainproc.c 27 Jun 2004 18:26:49 -0000 1.112.2.27
+++ g10/mainproc.c 8 Feb 2005 04:12:13 -0000
@@ -317,6 +317,8 @@
c->dek = passphrase_to_dek( NULL, 0, algo, &enc->s2k, 0, NULL, NULL );
if(c->dek)
{
+ c->dek->symmetric=1;
+
/* FIXME: This doesn't work perfectly if a symmetric key
comes before a public key in the message - if the user
doesn't know the passphrase, then there is a chance
Index: g10/encr-data.c
===================================================================
RCS file: /cvs/gnupg/gnupg/g10/encr-data.c,v
retrieving revision 1.29
diff -u -r1.29 encr-data.c
--- g10/encr-data.c 29 Jun 2002 13:46:33 -0000 1.29
+++ g10/encr-data.c 8 Feb 2005 04:12:14 -0000
@@ -120,8 +120,7 @@
cipher_sync( dfx.cipher_hd );
p = temp;
/* log_hexdump( "prefix", temp, nprefix+2 ); */
- if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) {
+ if( dek->symmetric && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) {
rc = G10ERR_BAD_KEY;
goto leave;
}
-------------- next part --------------
Index: include/cipher.h
===================================================================
RCS file: /cvs/gnupg/gnupg/include/cipher.h,v
retrieving revision 1.63
diff -u -r1.63 cipher.h
--- include/cipher.h 29 Nov 2004 21:14:18 -0000 1.63
+++ include/cipher.h 8 Feb 2005 04:10:29 -0000
@@ -75,6 +75,7 @@
int keylen;
int algo_info_printed;
int use_mdc;
+ int symmetric;
byte key[32]; /* this is the largest used keylen (256 bit) */
} DEK;
Index: g10/mainproc.c
===================================================================
RCS file: /cvs/gnupg/gnupg/g10/mainproc.c,v
retrieving revision 1.161
diff -u -r1.161 mainproc.c
--- g10/mainproc.c 21 Oct 2004 19:18:47 -0000 1.161
+++ g10/mainproc.c 8 Feb 2005 04:10:30 -0000
@@ -330,6 +330,8 @@
if(c->dek)
{
+ c->dek->symmetric=1;
+
/* FIXME: This doesn't work perfectly if a symmetric
key comes before a public key in the message - if
the user doesn't know the passphrase, then there is
Index: g10/encr-data.c
===================================================================
RCS file: /cvs/gnupg/gnupg/g10/encr-data.c,v
retrieving revision 1.30
diff -u -r1.30 encr-data.c
--- g10/encr-data.c 8 Oct 2004 21:54:26 -0000 1.30
+++ g10/encr-data.c 8 Feb 2005 04:10:30 -0000
@@ -125,6 +125,6 @@
cipher_sync( dfx.cipher_hd );
p = temp;
/* log_hexdump( "prefix", temp, nprefix+2 ); */
- if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) {
+ if( dek->symmetric && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) {
rc = G10ERR_BAD_KEY;
goto leave;
}
