cvs commit: ports/security/vuxml vuln.xml

Jacques Vidrine nectar at FreeBSD.org
Wed Aug 3 12:07:16 GMT 2005 

On Aug 3, 2005, at 6:55 AM, Simon L. Nielsen wrote:
> On 2005.07.31 10:34:00 -0500, Jacques Vidrine wrote:
>> On Jul 31, 2005, at 8:23 AM, Simon L. Nielsen wrote:
>>> simon       2005-07-31 13:23:50 UTC
>>>
>>>  FreeBSD ports repository
>>>
>>>  Modified files:
>>>    security/vuxml       vuln.xml
>>>  Log:
>>>  Document gnupg -- OpenPGP symmetric encryption vulnerability.
>>>
>>>  Note: this is mainly a theoretical vulnerability.
>>>
>>>  Revision  Changes    Path
>>>  1.763     +38 -1     ports/security/vuxml/vuln.xml
>>>
>>
>> Thanks, Simon.  Here are a couple of other points that this entry
>> should maybe reflect:
>>
>>   = Other software implementing OpenPGP is likely affected, e.g. the
>> Perl Crypt::OpenPGP module  (ports/security/p5-Crypt-OpenPGP)
>>
>
> Doh, I had for some reason not thought of that.  It seems like there
> is p5-Crypt-OpenPGP, security/pgpin, security/pgp, and security/pgp6
> which are not just frontends.
>
> From a quick check of the pgp 2.6.3 docs it seems to also support CFB
> so I would think it is also vulnerable.

Hmm.  The flaw is in the /OpenPGP variant/ of CFB.  So I am uncertain  
whether PGP 2 is affected...

> All the projects seems to be rather dead (no activity for 3+ years)...
>
>>   = GnuPG and others "resolved" this issue by disabling the "quick
>> check" when using a session key derived from public key encryption.
>> But the issue still exists when using symmetric encryption directly,
>> e.g. with the `-c' or `--symmetric' flags to gpg.  Of course in that
>> case it is even less likely to affect a real world user.
>>
>
> Should a comment about this be added to the VuXML entry?  I think it
> seems like a bit of overkill to mark the recent gnupg still vulnerable
> due to the _very_ low likeliness that anyone is impacted.

A note would be nice, but I agree that it is not helpful to mark  
recent gpg as vulnerable.

Cheers,
-- 
Jacques A. Vidrine / NTT/Verio
jacques at vidrine.us / jvidrine at verio.net / nectar at freebsd.org

More information about the cvs-all mailing list