-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#11 - ------------------------------------------------------------
Name: gnupg Date: 2007-03-07 Severity: High Warning #: 2007-#11 - ------------------------------------------------------------ Product Background =================== GNU Privacy Guard - a PGP replacement tool Problem Background =================== Scripts and applications using GnuPG are prone to a vulnerability in how signature verification information is shown to the end user. In some cases, and depending on how GnuPG is used, even an advanced user directly using GnuPG from the command line may be fooled by this attack. It's important to note that this IS NOT a cryptographic problem, but rather a problem on how information is shown to the user and how third-party applications and GnuPG interact with each other. Impact ====== An attacker is able to add arbitrary content to a signed message. The receiver of the message (using a mail client such as Enigmail to read the message) will not be able to distinguish the forged and the properly signed parts of the message. This problem derives from the fact that a valid OpenPGP message can include multiple portions, each of them in turn considered a message but some of which may or may not be signed and/or encrypted. Vulnerable third party applications do not use the appropriate GnuPG API to determine message boundaries and do not explicitly differentiate messages in their output to end users. Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ gnupg current system <= 1.4.7 >=1.4.7 Package Fix =================== The following versions of GnuPG and GPGME resolve this issue: GnuPG 1.4.7 GPGME 1.1.4 They can be downloaded from: http://www.gnupg.org/download/ The fixed versions enforce a limit of processing only one message on each run so third party applications and direct GPG users can not be confused by multiple messages with different security properties being intermingled in the output without clear message boundaries. For application developers using GnuPG as backend, it's a must to make the application pay attention to the output of the "--status-fd" option. Workaround =================== If a signed message looks suspicious, the validity of the signature can be verified manually by invoking GnuPG from the command line and adding the special option "--status-fd", as described below, to gain extra information. Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html where I will summarize all warning. I try to make a place where we, member of community, can talk about these: http://jjdanimoth.netsons.org/flyspray/ Please, give me your feedback on this. Reference(s) =================== CVE-2007-1263 - for the visual distinction issues in GnuPG itself, all 4 attacks. CVE-2007-1264 - Enigmail improper use of --status-fd CVE-2007-1265 - KMail improper or non-existing use of --status-fd CVE-2007-1266 - Evolution improper or non-existing use of --status-fd CVE-2007-1267 - Sylpheed improper or non-existing use of --status-fd CVE-2007-1268 - Mutt improper or non-existing use of --status-fd CVE-2007-1269 - GNUMail improper or non-existing use of --status-fd http://www.coresecurity.com/?action=item&id=1687 Contact ================== JJDaNiMoTh < jjdanimoth AT gmail DOT com > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF7s2JcJj0HNhER0MRArrlAJ0YBIrdKY66zNMPU+WdEzRpieW64ACfS/ed NEaRJdiIPL5gBp10oFBS0SY= =rwNX -----END PGP SIGNATURE----- _______________________________________________ arch mailing list [email protected] http://www.archlinux.org/mailman/listinfo/arch
