Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. devel
Don't use 0.3.5 !!!
wk at isil
Sep 18, 1998, 1:53 AM
Post #1 of 3 (388 views)
Permalink
Please do not use vesion 0.3.5 of GNUPG!

I have applied a SERIOUS bug while implementing the weak key detection
code!

All session keys (not the public keys) and keys for conventional
encryption are NOT random!

DON'T USE THIS VERSION!

I moved a line of code instead of copying it. See g10/seskey.c
function make_session_key() - It is a very stupid bug.

I apologize for this bad version.

To avoid such hassle in the future I'd suggest that some of you
should look over the diffs to see whether there might be serious
problems. A complete code-walk would be goog idea anyway.


Sorry,

Werner
Re: Don't use 0.3.5 !!! [ In reply to ]
kfort at kfort
Sep 18, 1998, 6:16 AM
Post #2 of 3 (379 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a little off track, but does anyone have any good ideas on how to
check those detached signatures using pine and gpg? If you hit e to export
the msg it copies the headers too and thats no good for a detached
signature. I guess I could write a program to strip out the headers and
mime stuff if I can figure out where exactly that begin and end. I also
found it a little humourous that the precedence on werner's message was
'bulk'. I will look at diffs if it helps out werner and the project. I
know its tough coding encryption stuff. Alot of pressure to do it right.
I also noticed last night that I wasn't able to decrypt messages made with
gpg with pgp. I didn't test this extensively, but it appeared to be
different then what was happening in 0.3.4 . The message was done using
cast5 and I even tried the -z 0 option. I guess signatures are still good
since I believe they are just encrypted using the public key scheme. oh
btw, I was never able to get gpg -c encrypt the multiple files. I thought
I had it working but it didn't. I tried about 3 or 4 different ways to do
it and always came up with a bug I couldn't figure out. So goes
programming I guess.

Kirk


On Fri, 18 Sep 1998, Werner Koch wrote:

> Please do not use vesion 0.3.5 of GNUPG!
>
> I have applied a SERIOUS bug while implementing the weak key detection
> code!
>
> All session keys (not the public keys) and keys for conventional
> encryption are NOT random!
>
> DON'T USE THIS VERSION!
>
> I moved a line of code instead of copying it. See g10/seskey.c
> function make_session_key() - It is a very stupid bug.
>
> I apologize for this bad version.
>
> To avoid such hassle in the future I'd suggest that some of you
> should look over the diffs to see whether there might be serious
> problems. A complete code-walk would be goog idea anyway.
>
>
> Sorry,
>
> Werner
>
>

-----BEGIN PGP SIGNATURE-----
Version: GNUPG v0.3.5 (FreeBSD)
Comment: Get GNUPG from ftp://ftp.guug.de/pub/gcrypt/

iEYEARECAAYFAjYCXVEACgkQf+niZZlBRVN78wCeNExsb/k+cgd91nZegAOwN3fbFLUAn1un
sgit2RlR9f9ulBwuXD6Nl86D
=HDUV
-----END PGP SIGNATURE-----
Re: Don't use 0.3.5 !!! [ In reply to ]
wk at isil
Sep 18, 1998, 9:18 AM
Post #3 of 3 (377 views)
Permalink
Kirk Fort <kfort@kfort.dyn.ml.org> writes:

> cast5 and I even tried the -z 0 option. I guess signatures are still good
> since I believe they are just encrypted using the public key scheme. oh

You are right.


Werner

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal