1994-09-30 - PGP sig bug is real

Header Data

From: nobody@vox.xs4all.nl (An0nYm0Us UsEr)
To: cypherpunks@toad.com
Message Hash: 433b0e8f503d64581e08126e92ca0e0c4a236fc98adec2733757e08a2411a842
Message ID: <199409300708.AA14369@xs1.xs4all.nl>
Reply To: N/A
UTC Datetime: 1994-09-30 07:08:45 UTC
Raw Date: Fri, 30 Sep 94 00:08:45 PDT

Raw message

From: nobody@vox.xs4all.nl (An0nYm0Us UsEr)
Date: Fri, 30 Sep 94 00:08:45 PDT
To: cypherpunks@toad.com
Subject: PGP sig bug is real
Message-ID: <199409300708.AA14369@xs1.xs4all.nl>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----
The PGP signature bug is real. I have verified it in the 2.6 versions
for both the mac and unix.

If you check the sig on this message, it will pass, but the text you see
will not contain the first paragraph of this message. It was added after the
message was signed. A fix was posted to alt.security.pgp.  The sig on that
message (not by me) should pass.

- -----BEGIN PGP SIGNED MESSAGE-----


If anyone want to make a change to their PGP sources to cover the 
clear-sign hole in PGP before a new release of PGP, here is the change I
made:

in armor.c, look for the function dpem_file() around line 914.  Look
for the following code after the literal string "----BEGIN PGP SIGNED 
MESSAGE-----", (around line 967):

                /* Skip header lines until a blank is hit */
                do
                {
                   ++infile_line;
                   status = skipline(in);
                } while (status != 0);

replace this code with:

                ++infile_line;
                status = skipline(in);  /* read only one blank line */


Robert


- -----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBLomtrx0UusL1b5lxAQHg8QP/ehlKF/SjA61SISmvLvZngY/j8dxGt/cl
MjgYE5nJOFwZeYqwPuZ5QNDSDLP08t8AQ+RB07XENVv6B5TfyI+GIULEHYYjay18
r28LRjW1veiHrlnD7V/FCSj0fVKO9cVzrPAm1a/oFeaAeeS6iHeDbQTwdepghgvn
g8al1/SOErk=
=3EGc
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBLou1gayHUAO76TvRAQGuMgP+OsKh/Ptlo9SSufNuMaGzcvp0CnlSlXj0
UH8TiaOsVVpvwJqotTBLkoDv4r04uWRT/zNl7a0BvBWQE5F1nM8g/cj2nMC7CIQL
yudmTBx8Grb50j07bcEVC6hyHsu5gTk5c9Bq+k1Z6vqcZyf1QWu+RoDTSsXUhomD
Nwl2PV0Ie1g=
=jJgf
-----END PGP SIGNATURE-----






Thread