[Gpg4win-devel] 2.0.4 for gpgsm fix
Bernhard Reiter
bernhard at intevation.de
Wed Jul 28 12:34:24 CEST 2010
Am Mittwoch, 28. Juli 2010 11:58:25 schrieb Bernhard Reiter:
> IMHO we should publish 2.0.4 right away
> to fix the gpgsm issue.
Emanuel will work on this.
The main character of the release will be one to polish Gpg4win's image
as in turns out that the defect is not exploitable.
See http://lists.gnupg.org/pipermail/gnupg-users/2010-July/039269.html
It is much more likely that other defects are being tried.
> Citing:
> http://lists.gnupg.org/pipermail/gnupg-announce/2010q3/000302.html
> Realloc Bug with X.509 certificates in GnuPG
> ==============================================
> 2010-07-23
> Solution
> ========
>
> Apply the following patch.
>
> an exploit won't be
> easy to write because the attack vector must fit into a valid ASN.1
> DER encoded DN. To further complicate the task, that DN is not used
> directly but after a transformation to RFC-2253 format.
--
Managing Director - Owner: www.intevation.net (Free Software Company)
Deputy Coordinator Germany: fsfe.org. Board member: www.kolabsys.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the Gpg4win-devel
mailing list