PGPsdk Key Validity Vulnerability

From: Patrick Oonk (patrickat_private)
Date: Tue Sep 04 2001 - 07:37:07 PDT

Next message: s96192at_private: "[ Hackerslab bug_paper ] Informix-SQL application vulnerability"

Previous message: Casper Dik: "Re: INCORRECT PATCH REVISIONS: Re: Sun Security Bulletin #00207"
Next in thread: Florian Weimer: "Re: PGPsdk Key Validity Vulnerability"
Reply: Florian Weimer: "Re: PGPsdk Key Validity Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.pgp.com/support/product-advisories/pgpsdk.asp 

A vulnerability in PGP's display of key validity has been discovered
that could allow an attacker to fool users into thinking that a valid
signature was created by what is actually an invalid user ID. If the
attacker can obtain a signature on their key from a trusted third party,
they can then add a second user ID to their key which is unsigned. The
attacker must then switch the unsigned false user ID to primary and
convince the victim to place the key on their keyring. In such a case,
some of the displays in PGP do not properly identify the false user ID
as invalid because the second user ID is fully valid. Whenever PGP
displays validity information on a per-user ID basis, the display is
correct. Thus, attentive users who examine the user IDs of all public
keys which they import to their keyrings will immediately notice this
problem before it could have any impact.

This issue was discovered and reported to Network Associates/PGP
Security, Inc. by Sieuwert van Otterloo.

This issue has been corrected such that all key validity displays in PGP
will properly mark the unsigned user ID as invalid. Hotfixes are now
available for the following products:
* PGP Corporate Desktop v7.1 (MacOS9/Win32)
* PGP Personal Security v7.0.3 (MacOS9/Win32)
* PGP Freeware v7.0.3 (MacOS9/Win32)
* PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32)

Product upgrades are available for the following products:
* PGP E-Business Server v6.5.8x (OS/390)
* PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32)

The hotfixes and upgrades can be found at:
http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp

Network Associates/PGP Security Inc. has published the PGPsdk source
code in electronic form for academic and cryptographic peer review. The
source packages can be downloaded from:
http://www.pgp.com/downloads/default.asp


-- 
 Patrick Oonk - PO1-6BONE - E: patrickat_private - www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonkat_private
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: disks spinning backwards - toggle the
 hemisphere jumper.

Next message: s96192at_private: "[ Hackerslab bug_paper ] Informix-SQL application vulnerability"
Previous message: Casper Dik: "Re: INCORRECT PATCH REVISIONS: Re: Sun Security Bulletin #00207"
Next in thread: Florian Weimer: "Re: PGPsdk Key Validity Vulnerability"
Reply: Florian Weimer: "Re: PGPsdk Key Validity Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 09:47:17 PDT