Improper Signature Verification in GnuPG Affects Multiple Versions
CVE-2006-0455

Currently unrated

Key Information:

Vendor: Gnu
Status: Privacy Guard
Vendor: CVE Published:; 15 February 2006

Summary

GnuPG's gpgv command, used for determining the validity of digital signatures, can mistakenly return a success status even when no valid signature is present in the detached signature file. This oversight occurs during unattended signature verifications and could mislead applications into treating invalid signatures as verified. Affected users are advised to review their usage of gpgv and ensure they are running a secure version of the software to prevent unauthorized actions based on erroneous verification results.

References

http://www.securityfocus.com/bid/16663

vdb-entryx_refsource_BID

http://secunia.com/advisories/18956

third-party-advisoryx_refsource_SECUNIA

http://www.trustix.org/errata/2006/0008

vendor-advisoryx_refsource_TRUSTIX

Timeline

Vulnerability published
Feb 15, 2006
Vulnerability Reserved
Jan 27, 2006