COMMAND

    afio

SYSTEMS AFFECTED

    Linux

PROBLEM

    Following  is  based  on  comp.os.linux.announce  thread.   It  is
    believed that there are very  few people who use afio's  -P option
    for encrypting afio archive contents with pgp.  If you do not  use
    afio, pgp, or the  'afio -P pgp' option,  it is safe to  skip this
    advisory.

    Since version 2.4.2, the afio  archiver has had an interface,  the
    '-P pgp' command line option, which can be used to pgp-encrypt the
    file data written to  an afio archive.   Following up on some  bug
    reports,  afio's  maintainer  has  recently  discovered a security
    problem with this afio-pgp interface: pgp encryption is not always
    applied in the  right way.   This makes it  possible to crack  the
    encryption on  the file  data in  an 'encrypted'  archive produced
    using afio with the '-P pgp' option.  The security of files  which
    were already encrypted  _before_ being written  to the archive  is
    not affected.  The security hole is not in pgp itself, but in  the
    interaction between afio and  pgp.  Other programs  which interact
    with pgp  to encrypt  things are  very unlikely  to have a similar
    security hole.

    It is possible  to crack the  encryption of at  least some of  the
    file  data  in  the  'encrypted'  archives produced using 'afio -P
    pgp'.   This  includes  archives  produced  using  the   pgp_write
    example  script  included  in  the  afio distribution.  The attack
    against  the  broken  archive  encryption  is  obscure,  but   not
    impossible to find.

SOLUTION

    The next  version of  afio (due  out in  1-n months)  will fix the
    security bug.   By reverse-engineering  the bug  fix, it  will  be
    easier  to  find  the  attack.   So  the  release of the next afio
    version  will  make  already-existing   'afio  -P  pgp'   archives
    more vulnerable.

    _Existing archives_ produced with  'afio -P pgp' should  really be
    treated with  the same  care (against  theft etc.)  as unencrypted
    archives.  If such existing  archives cannot be deleted or  safely
    locked away,  then encrypting  the _entire_  existing archive file
    with  pgp  will  protect  it.   Such completely encrypted archives
    will _not_  be fault-tolerant  against storage  media errors, like
    normal afio archives are.  _New archives_ which really need to  be
    protected with encryption  can be made  by having afio  output the
    archive to stdout and piping this output through pgp:

        find [options] | afio -o [options] - | pgp [options] >device_or_file

    Such  encrypted  archives  will  _not_  be  fault-tolerant against
    storage media  errors, like  normal afio  archives are.   The next
    version of  afio (due  out in  1-n months)  will fix this security
    hole by which 'afio -P pgp' creates unsafe archives.