Package: gnupg Version: 1.4.0-3 Severity: normal Tags: security Serge Mister and Robert Zuccherato have published a paper, which describes an attack against the symmetric encryption as used in the OpenPGP standard. It's not exploitable in regular gnupg operation with a human endpoint.
Full details are described at the announce mail at: http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html I've attached upstream's fix that circumvents the problem by disabling the problematic bits of the OpenPGP standard. Cheers, Moritz -- System Information: Debian Release: 3.0 Architecture: i386 Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] Versions of packages gnupg depends on: ii libc6 2.3.2-9 GNU C Library: Shared libraries an ii libldap2 2.1.30-3 OpenLDAP libraries ii makedev 2.3.1-70.3.200407260828 Creates device files in /dev ii zlib1g 1:1.2.2-4.15.200501191530 compression library - runtime -- debconf-show failed
Index: include/cipher.h =================================================================== RCS file: /cvs/gnupg/gnupg/include/cipher.h,v retrieving revision 1.53.2.6 diff -u -r1.53.2.6 cipher.h --- include/cipher.h 29 Nov 2004 21:07:43 -0000 1.53.2.6 +++ include/cipher.h 8 Feb 2005 04:12:12 -0000 @@ -76,6 +76,7 @@ int keylen; int algo_info_printed; int use_mdc; + int symmetric; byte key[32]; /* this is the largest used keylen (256 bit) */ } DEK; Index: g10/mainproc.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/mainproc.c,v retrieving revision 1.112.2.27 diff -u -r1.112.2.27 mainproc.c --- g10/mainproc.c 27 Jun 2004 18:26:49 -0000 1.112.2.27 +++ g10/mainproc.c 8 Feb 2005 04:12:13 -0000 @@ -317,6 +317,8 @@ c->dek = passphrase_to_dek( NULL, 0, algo, &enc->s2k, 0, NULL, NULL ); if(c->dek) { + c->dek->symmetric=1; + /* FIXME: This doesn't work perfectly if a symmetric key comes before a public key in the message - if the user doesn't know the passphrase, then there is a chance Index: g10/encr-data.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/encr-data.c,v retrieving revision 1.29 diff -u -r1.29 encr-data.c --- g10/encr-data.c 29 Jun 2002 13:46:33 -0000 1.29 +++ g10/encr-data.c 8 Feb 2005 04:12:14 -0000 @@ -120,8 +120,7 @@ cipher_sync( dfx.cipher_hd ); p = temp; /* log_hexdump( "prefix", temp, nprefix+2 ); */ - if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) { + if( dek->symmetric && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) { rc = G10ERR_BAD_KEY; goto leave; } -------------- next part -------------- Index: include/cipher.h =================================================================== RCS file: /cvs/gnupg/gnupg/include/cipher.h,v retrieving revision 1.63 diff -u -r1.63 cipher.h --- include/cipher.h 29 Nov 2004 21:14:18 -0000 1.63 +++ include/cipher.h 8 Feb 2005 04:10:29 -0000 @@ -75,6 +75,7 @@ int keylen; int algo_info_printed; int use_mdc; + int symmetric; byte key[32]; /* this is the largest used keylen (256 bit) */ } DEK; Index: g10/mainproc.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/mainproc.c,v retrieving revision 1.161 diff -u -r1.161 mainproc.c --- g10/mainproc.c 21 Oct 2004 19:18:47 -0000 1.161 +++ g10/mainproc.c 8 Feb 2005 04:10:30 -0000 @@ -330,6 +330,8 @@ if(c->dek) { + c->dek->symmetric=1; + /* FIXME: This doesn't work perfectly if a symmetric key comes before a public key in the message - if the user doesn't know the passphrase, then there is Index: g10/encr-data.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/encr-data.c,v retrieving revision 1.30 diff -u -r1.30 encr-data.c --- g10/encr-data.c 8 Oct 2004 21:54:26 -0000 1.30 +++ g10/encr-data.c 8 Feb 2005 04:10:30 -0000 @@ -125,6 +125,6 @@ cipher_sync( dfx.cipher_hd ); p = temp; /* log_hexdump( "prefix", temp, nprefix+2 ); */ - if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) { + if( dek->symmetric && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) { rc = G10ERR_BAD_KEY; goto leave; }