Fedora Legacy Update Advisory FLSA:185355 – Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG’s exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/46336/FLSA-2006-185355.txt
Source: https://packetstormsecurity.com/files/46336/FLSA-2006-185355.txt.html