cvs commit: ports/security/vuxml vuln.xml
Simon L. Nielsen
simon at FreeBSD.org
Wed Aug 3 11:55:43 GMT 2005
On 2005.07.31 10:34:00 -0500, Jacques Vidrine wrote:
>
> On Jul 31, 2005, at 8:23 AM, Simon L. Nielsen wrote:
>
> >simon 2005-07-31 13:23:50 UTC
> >
> > FreeBSD ports repository
> >
> > Modified files:
> > security/vuxml vuln.xml
> > Log:
> > Document gnupg -- OpenPGP symmetric encryption vulnerability.
> >
> > Note: this is mainly a theoretical vulnerability.
> >
> > Revision Changes Path
> > 1.763 +38 -1 ports/security/vuxml/vuln.xml
>
> Thanks, Simon. Here are a couple of other points that this entry
> should maybe reflect:
>
> = Other software implementing OpenPGP is likely affected, e.g. the
> Perl Crypt::OpenPGP module (ports/security/p5-Crypt-OpenPGP)
Doh, I had for some reason not thought of that. It seems like there
is p5-Crypt-OpenPGP, security/pgpin, security/pgp, and security/pgp6
which are not just frontends.
From a quick check of the pgp 2.6.3 docs it seems to also support CFB
so I would think it is also vulnerable.
All the projects seems to be rather dead (no activity for 3+ years)...
> = GnuPG and others "resolved" this issue by disabling the "quick
> check" when using a session key derived from public key encryption.
> But the issue still exists when using symmetric encryption directly,
> e.g. with the `-c' or `--symmetric' flags to gpg. Of course in that
> case it is even less likely to affect a real world user.
Should a comment about this be added to the VuXML entry? I think it
seems like a bit of overkill to mark the recent gnupg still vulnerable
due to the _very_ low likeliness that anyone is impacted.
--
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20050803/36cf01b5/attachment.bin
More information about the cvs-all
mailing list