Open-source bugs undermine digital signatures

Filed under: — By Aviran Mordo @ 11:06 am

A pair of security bugs in cryptography software could allow an attacker to insert content into a digitally signed message or forge signatures on files.

The flaws lie in the open-source GNU Privacy Guard software, also known as GnuPG and GPG, the GnuPG group said in two alerts. The software, a free replacement for the Pretty Good Privacy cryptographic technology, ships with many open-source operating systems such as FreeBSD, OpenBSD and many Linux distributions.

The vulnerabilities could pose a threat to the value of digital signatures, Tavis Ormandy of the Gentoo Linux security team wrote in an e-mail interview on Friday. For example, a miscreant could add information to a security alert sent via e-mail or forge the digital signature on software updates, wrote Ormandy, who discovered both flaws.

This poses a risk to those who use the open-source cryptographic technology to authenticate e-mail communications or digitally sign files and, even more so, to the recipients of those messages and users of the files.

Fixes for the flaws are available from the GnuPG team. In addition, those who include the technology in their own products, such as Gentoo and Novell, have been pushing out updates for their products.

Source: News.com


Leave a Reply

You must have Javascript enabled in order to submit comments.

All fields are optional (except comment).
Some comments may be held for moderation (depends on spam filter) and not show up immediately.
Links will automatically get rel="nofollow" attribute to deter spammers.

Powered by WordPress