SigSpoof

This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (September 2018) (Learn how and when to remove this message)

SigSpoof (CVE-2018-12020) is a family of security vulnerabilities that affected the software package GNU Privacy Guard ("GnuPG") since version 0.2.2, that was released in 1998.^[1] Several other software packages that make use of GnuPG were also affected, such as Pass and Enigmail.^[2][1]

In un-patched versions of affected software, SigSpoof attacks allow cryptographic signatures to be convincingly spoofed, under certain circumstances.^{[1][3][4][2][5]} This potentially enables a wide range of subsidiary attacks to succeed.^{[1][3][4][2][5]}

1. ^ ^{a b c d} Goodin, Dan (2018-06-14). "Decades-old PGP bug allowed hackers to spoof just about anyone's signature". Ars Technica. Retrieved 2018-10-08.
2. ^ ^{a b c} Chirgwin, Richard (2018-06-19). "Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug". The Register. Retrieved 2018-10-08.
3. ^ ^{a b} Böck, Hanno (2018-06-13). "SigSpoof: Signaturen fälschen mit GnuPG". Golem.de. Retrieved 2018-10-08.
4. ^ ^{a b} von Westernhagen, Olivia (2018-06-14). "Enigmail und GPG Suite: Neue Mail-Plugin-Versionen schließen GnuPG-Lücke". Heise Security. Retrieved 2018-10-08.
5. ^ ^{a b} "20 Jahre alter Fehler entdeckt: PGP-Signaturen ließen sich einfach fälschen - derStandard.at". Der Standard. 2018-06-18. Retrieved 2018-10-08.

This computer security article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e