[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PGP sig bug is real
-----BEGIN PGP SIGNED MESSAGE-----
The PGP signature bug is real. I have verified it in the 2.6 versions
for both the mac and unix.
If you check the sig on this message, it will pass, but the text you see
will not contain the first paragraph of this message. It was added after the
message was signed. A fix was posted to alt.security.pgp. The sig on that
message (not by me) should pass.
- -----BEGIN PGP SIGNED MESSAGE-----
If anyone want to make a change to their PGP sources to cover the
clear-sign hole in PGP before a new release of PGP, here is the change I
made:
in armor.c, look for the function dpem_file() around line 914. Look
for the following code after the literal string "----BEGIN PGP SIGNED
MESSAGE-----", (around line 967):
/* Skip header lines until a blank is hit */
do
{
++infile_line;
status = skipline(in);
} while (status != 0);
replace this code with:
++infile_line;
status = skipline(in); /* read only one blank line */
Robert
- -----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBLomtrx0UusL1b5lxAQHg8QP/ehlKF/SjA61SISmvLvZngY/j8dxGt/cl
MjgYE5nJOFwZeYqwPuZ5QNDSDLP08t8AQ+RB07XENVv6B5TfyI+GIULEHYYjay18
r28LRjW1veiHrlnD7V/FCSj0fVKO9cVzrPAm1a/oFeaAeeS6iHeDbQTwdepghgvn
g8al1/SOErk=
=3EGc
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAwUBLou1gayHUAO76TvRAQGuMgP+OsKh/Ptlo9SSufNuMaGzcvp0CnlSlXj0
UH8TiaOsVVpvwJqotTBLkoDv4r04uWRT/zNl7a0BvBWQE5F1nM8g/cj2nMC7CIQL
yudmTBx8Grb50j07bcEVC6hyHsu5gTk5c9Bq+k1Z6vqcZyf1QWu+RoDTSsXUhomD
Nwl2PV0Ie1g=
=jJgf
-----END PGP SIGNATURE-----