FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2006-0049

This CVE name corresponds to:

Entered Topic
2006-03-10 GnuPG does not detect injection of unsigned data

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2006-0049 at cve.mitre.org

Details

Type Candidate
Name CVE-2006-0049
Phase Assigned(20051228)

Description

gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455.

References

Source Reference
BUGTRAQ 20060309 GnuPG does not detect injection of unsigned data
MLIST [gnupg-announce] 20060309 [Announce] GnuPG does not detect injection of unsigned data
DEBIAN DSA-993
FEDORA FEDORA-2006-147
FEDORA FLSA-2006:185355
GENTOO GLSA-200603-08
MANDRIVA MDKSA-2006:055
REDHAT RHSA-2006:0266
SGI 20060401-01-U
SLACKWARE SSA:2006-072-02
SUSE SUSE-SA:2006:014
TRUSTIX 2006-0014
UBUNTU USN-264-1
BID 17058
OVAL oval:org.mitre.oval:def:10063
VUPEN ADV-2006-0915
OSVDB 23790
SECTRACK 1015749
SECUNIA 19173
SECUNIA 19203
SECUNIA 19244
SECUNIA 19231
SECUNIA 19249
SECUNIA 19287
SECUNIA 19197
SECUNIA 19232
SECUNIA 19234
SECUNIA 19532
SREASON 450
SREASON 568
XF gnupg-nondetached-sig-verification(25184)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.