Home page logo

isn logo Information Security News mailing list archives

PGPsdk Key Validity Vulnerability
From: InfoSec News <isn () c4i org>
Date: Wed, 5 Sep 2001 01:16:47 -0500 (CDT)

Forwarded from: "Jay D. Dyson" <jdyson () treachery net>


Courtesy of Bugtraq.

Follow-up per the previous report.

- ---------- Forwarded message ----------
Date: Tue, 4 Sep 2001 16:37:07 +0200
From: Patrick Oonk <patrick () pine nl>
To: bugtraq () securityfocus com
Subject: PGPsdk Key Validity Vulnerability


A vulnerability in PGP's display of key validity has been discovered
that could allow an attacker to fool users into thinking that a valid
signature was created by what is actually an invalid user ID. If the
attacker can obtain a signature on their key from a trusted third party,
they can then add a second user ID to their key which is unsigned. The
attacker must then switch the unsigned false user ID to primary and
convince the victim to place the key on their keyring. In such a case,
some of the displays in PGP do not properly identify the false user ID
as invalid because the second user ID is fully valid. Whenever PGP
displays validity information on a per-user ID basis, the display is
correct. Thus, attentive users who examine the user IDs of all public
keys which they import to their keyrings will immediately notice this
problem before it could have any impact.

This issue was discovered and reported to Network Associates/PGP
Security, Inc. by Sieuwert van Otterloo.

This issue has been corrected such that all key validity displays in PGP
will properly mark the unsigned user ID as invalid. Hotfixes are now
available for the following products:
* PGP Corporate Desktop v7.1 (MacOS9/Win32)
* PGP Personal Security v7.0.3 (MacOS9/Win32)
* PGP Freeware v7.0.3 (MacOS9/Win32)
* PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32)

Product upgrades are available for the following products:
* PGP E-Business Server v6.5.8x (OS/390)
* PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32)

The hotfixes and upgrades can be found at:

Network Associates/PGP Security Inc. has published the PGPsdk source
code in electronic form for academic and cryptographic peer review. The
source packages can be downloaded from:

- -- 
 Patrick Oonk - PO1-6BONE - E: patrick () pine nl - www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk () my security nl
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: disks spinning backwards - toggle the
 hemisphere jumper.

Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]