CVE-2006-0049

Description

gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455.

Affected products

• gnu / privacy_guard1.0 – 1.0
• gnu / privacy_guard1.0.1 – 1.0.1
• gnu / privacy_guard1.0.2 – 1.0.2
• gnu / privacy_guard1.0.3 – 1.0.3
• gnu / privacy_guard1.0.3b – 1.0.3b
• gnu / privacy_guard1.0.4 – 1.0.4
• gnu / privacy_guard1.0.5 – 1.0.5
• gnu / privacy_guard1.0.6 – 1.0.6
• gnu / privacy_guard1.0.7 – 1.0.7
• gnu / privacy_guard1.2 – 1.2
• gnu / privacy_guard1.2.1 – 1.2.1
• gnu / privacy_guard1.2.2 – 1.2.2
• gnu / privacy_guard1.2.2 – 1.2.2
• gnu / privacy_guard1.2.3 – 1.2.3
• gnu / privacy_guard1.2.4 – 1.2.4
• gnu / privacy_guard1.2.5 – 1.2.5
• gnu / privacy_guard1.2.6 – 1.2.6
• gnu / privacy_guard1.2.7 – 1.2.7
• gnu / privacy_guard1.3.3 – 1.3.3
• gnu / privacy_guard1.3.4 – 1.3.4
• gnu / privacy_guard1.4 – 1.4
• gnu / privacy_guard1.4.1 – 1.4.1
• gnu / privacy_guard1.4.2 – 1.4.2
• gnu / privacy_guard1.4.2.1 – 1.4.2.1

References

• VENDOR_ADVISORYhttps://usn.ubuntu.com/264-1/
• VENDOR_ADVISORYhttp://secunia.com/advisories/19249
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2006/0915
• MISChttp://www.redhat.com/support/errata/RHSA-2006-0266.html
• VENDOR_ADVISORYftp://patches.sgi.com/support/free/security/advisories/20060401-01-U
• MAILING_LISThttp://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html
• MISChttp://securityreason.com/securityalert/450
• VENDOR_ADVISORYhttp://secunia.com/advisories/19232
• MISChttp://www.osvdb.org/23790
• MISChttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.476477
• VENDOR_ADVISORYhttp://secunia.com/advisories/19173
• MISChttp://www.securityfocus.com/archive/1/433931/100/0/threaded
• MISChttp://www.securityfocus.com/bid/17058
• MISChttp://securityreason.com/securityalert/568
• MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10063
• VENDOR_ADVISORYhttp://secunia.com/advisories/19287
• MISChttp://www.trustix.org/errata/2006/0014
• MISChttp://securitytracker.com/id?1015749
• VENDOR_ADVISORYhttp://secunia.com/advisories/19532
• MAILING_LISThttp://lists.suse.de/archive/suse-security-announce/2006-Mar/0003.html
• MISChttp://www.gentoo.org/security/en/glsa/glsa-200603-08.xml
• MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/25184
• VENDOR_ADVISORYhttp://secunia.com/advisories/19234
• MISChttp://www.redhat.com/archives/fedora-announce-list/2006-March/msg00021.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/19197
• VENDOR_ADVISORYhttp://secunia.com/advisories/19244
• VENDOR_ADVISORYhttp://secunia.com/advisories/19203
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:055
• MISChttp://www.securityfocus.com/archive/1/427324/100/0/threaded
• VENDOR_ADVISORYhttp://secunia.com/advisories/19231
• VENDOR_ADVISORYhttp://www.debian.org/security/2006/dsa-993