Debian: DSA-010-1 Moderate: GnuPG Signature Flaws and Key Import Threats

Package : gnupg
Problem type : cheating with detached signatures,
circumvention of web of trust
Debian-specific: no

Two bugs in GnuPG have recently been found:

1. false positives when verifying detached signatures

There is a problem in the way gpg checks detached signatures which
can lead to false positives. Detached signature can be verified
with a command like this:

gpg --verify detached.sig < mydata

If someone replaced detached.sig with a signed text (ie not a
detached signature) and then modified mydata gpg would still
report a successfully verified signature.

To fix the way the --verify option works has been changes: it now
needs two options when verifying detached signatures: both the file
with the detached signature, and the file with the data to be
verified. Please note that this makes it incompatible with older
versions!

2. secret keys are silently imported

Florian Weimer discovered that gpg would import secret keys from
key-servers. Since gpg considers public k...