Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 3 Aug 2005 13:55:41 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Jacques Vidrine <jacques@vidrine.us>
Cc:        cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org
Subject:   Re: cvs commit: ports/security/vuxml vuln.xml
Message-ID:  <20050803115540.GF851@zaphod.nitro.dk>
In-Reply-To: <0FD8500C-E0DE-4CB2-B7EF-DDCF5A7B754F@vidrine.us>
References:  <200507311323.j6VDNoTB070910@repoman.freebsd.org> <0FD8500C-E0DE-4CB2-B7EF-DDCF5A7B754F@vidrine.us>

next in thread | previous in thread | raw e-mail | index | archive | help

--FL5UXtIhxfXey3p5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2005.07.31 10:34:00 -0500, Jacques Vidrine wrote:
>
> On Jul 31, 2005, at 8:23 AM, Simon L. Nielsen wrote:
>
> >simon       2005-07-31 13:23:50 UTC
> >
> >  FreeBSD ports repository
> >
> >  Modified files:
> >    security/vuxml       vuln.xml
> >  Log:
> >  Document gnupg -- OpenPGP symmetric encryption vulnerability.
> >
> >  Note: this is mainly a theoretical vulnerability.
> >
> >  Revision  Changes    Path
> >  1.763     +38 -1     ports/security/vuxml/vuln.xml
>
> Thanks, Simon.  Here are a couple of other points that this entry
> should maybe reflect:
>
>   =3D Other software implementing OpenPGP is likely affected, e.g. the
> Perl Crypt::OpenPGP module  (ports/security/p5-Crypt-OpenPGP)

Doh, I had for some reason not thought of that.  It seems like there
is p5-Crypt-OpenPGP, security/pgpin, security/pgp, and security/pgp6
which are not just frontends.

=46rom a quick check of the pgp 2.6.3 docs it seems to also support CFB
so I would think it is also vulnerable.

All the projects seems to be rather dead (no activity for 3+ years)...

>   =3D GnuPG and others "resolved" this issue by disabling the "quick
> check" when using a session key derived from public key encryption.
> But the issue still exists when using symmetric encryption directly,
> e.g. with the `-c' or `--symmetric' flags to gpg.  Of course in that
> case it is even less likely to affect a real world user.

Should a comment about this be added to the VuXML entry?  I think it
seems like a bit of overkill to mark the recent gnupg still vulnerable
due to the _very_ low likeliness that anyone is impacted.

--=20
Simon L. Nielsen

--FL5UXtIhxfXey3p5
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFC8LC8h9pcDSc1mlERAuKdAJwKZ5ZA10UbB4PWezbkhog3YSK/KACgmYx5
ANG0M1KFQ08CiEfzZoe8ZM0=
=z/tk
-----END PGP SIGNATURE-----

--FL5UXtIhxfXey3p5--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050803115540.GF851>