The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Minor PGP vulnerability

I would suggest *not* patching PGP with this patch.  I believe that
this topic has been discussed sufficiently on bugtraq that I am
convinced that such a patch would only cause a larger problem.

John

joey@finlandia.infodrom.north.de (Martin Schulze) writes:

> -----Forwarded message from weidner@IFI.UNIZH.CH (Harald Weidner)-----
> 
> Approved-By: aleph1@UNDERGROUND.ORG
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Description: Main Body
> X-Mailer: Mutt 0.69
> Message-ID:  <19970715230248.05951@ifi.unizh.ch>
> Date:         Tue, 15 Jul 1997 23:02:48 +0200
> Reply-To:     weidner@IFI.UNIZH.CH
> From:         Harald Weidner <weidner@IFI.UNIZH.CH>
> Subject:      Minor PGP vulnerability
> To:           BUGTRAQ@NETSPACE.ORG
> X-Loop: bugtraq@Infodrom.North.DE
> Precedence: bulk
> 
> Hi,
> 
> I'm not quite sure wether this belongs to this list, but since
> there were several application related security bugs posted here,
> I post this one, too. I have written some code for exploitation of
> a well known security hole in PGP.
> 
> As you might know, PGP uses a 32-Bit number, called key-ID, as
> an internal index for storing and recognizing keys. Although
> the key-ID's are quite randomly distributed within 31 of the
> 32 bits (the key-ID is always odd), the scheme how this key id
> is derived from the (public) key is not cryptographically secure.
> It is possible to generate keys which have a certain, predefined
> key-ID. This can confuse users and key servers, as pgp does not
> accept several different keys with the same key id.
> 
> This is exactly what my patch does. You can find it on
> http://www.ifi.unizh.ch/~weidner/pgp-keyid.patch. The file
> size is about 11kB. I don't post it here to protect the
> list server from exporting cryptographic software. The patch
> is against PGP-2.6.3ia.
> 
> As a consequence, when obtaining PGP keys from insecure sources,
> you should always check for the existance of a key with the same
> key-ID in your own public keyring. To verify a key, always use
> the fingerprint and never the key-ID.
> 
> Harald
> 
> 
> --
> Harald Weidner                   http://www.ifi.unizh.ch/~weidner/
> 
> 
> -----End of forwarded message-----
> 
> -- 
>   / Martin Schulze  *  joey@infodrom.north.de  *  26129 Oldenburg /
>  /                              No question is too silly to ask, /
> /    but, of course, some are too silly to answer  -- perl book /
> 
> 
> --
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
> debian-private-request@lists.debian.org . 
> Trouble?  e-mail to templin@bucknell.edu .
> 

-- 
John Goerzen          | Running Debian GNU/Linux (www.debian.org)
Custom Programming    | 
jgoerzen@complete.org | 


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .