I think it is a genuine problem - a nasty one too. You could try contacting NAI, but they seemed to have semi-imploded recently so may not be as helpful. See http://www.pgp.com/ Try contacting the sales and ask for a tech - that works sometimes :). The 6.5.8 source seems to be still around - http://www.pgpi.org/cgi/download.cgi?filename=pgpsrc658win32.zip Any idea where to start the fix? BTW: Isn't GPG compatible with the commercial PGPs used by your corresponding commercial entities? Cheerio, Link. At 03:53 PM 6/7/02 -0500, McAllister, Andrew wrote: >Yes, the behavior you are seeing with gpg is exactly the behavior I would >expect with PGP. In my opinion, PGP should warn and error out when >decrypting an encrypted and signed file that has data appended to it. It >should not simply take the appended data and overwrite the output of the >encrypted/signed message when in batch mode. > >Does anyone think I should raise this a level and contact NAI/McAfee? >Anyone know of a contact point? Problems I see trying to get a fix are: >6.5.8 is out of date, the version I have is non-commercial, I'm not a >paying customer. > >I'd switch to something else, but gpg et al are not options, we get files >from commercial entities who use the commercial version of pgp. We must be >able to exchange keys, decrypt and verify the latest PGP formats, not the >2.x format. > >We know that GPG v1.0.6 is NOT vulnerable. Anyone have another PGP version? > >Andrew McAllister >University of Missouri > > > -----Original Message----- > > From: Rich Henning [mailto:vulnerableat_private] >snip > > I was unable to reproduce this behavior using GPGv1.0.6 on > > linux-2.4.18 x86 > > in fact, i was even warned that the encrypted message was modified: >snip > > gpg: WARNING: encrypted message has been manipulated! >snip
This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 19:58:23 PDT