[22517] in bugtraq
PGPsdk Key Validity Vulnerability
daemon@ATHENA.MIT.EDU (Patrick Oonk)
Tue Sep 4 12:19:21 2001
Date: Tue, 4 Sep 2001 16:37:07 +0200
From: Patrick Oonk <patrick@pine.nl>
To: bugtraq@securityfocus.com
Message-ID: <20010904163707.V16229@pine.nl>
Reply-To: patrick@pine.nl
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
http://www.pgp.com/support/product-advisories/pgpsdk.asp
A vulnerability in PGP's display of key validity has been discovered
that could allow an attacker to fool users into thinking that a valid
signature was created by what is actually an invalid user ID. If the
attacker can obtain a signature on their key from a trusted third party,
they can then add a second user ID to their key which is unsigned. The
attacker must then switch the unsigned false user ID to primary and
convince the victim to place the key on their keyring. In such a case,
some of the displays in PGP do not properly identify the false user ID
as invalid because the second user ID is fully valid. Whenever PGP
displays validity information on a per-user ID basis, the display is
correct. Thus, attentive users who examine the user IDs of all public
keys which they import to their keyrings will immediately notice this
problem before it could have any impact.
This issue was discovered and reported to Network Associates/PGP
Security, Inc. by Sieuwert van Otterloo.
This issue has been corrected such that all key validity displays in PGP
will properly mark the unsigned user ID as invalid. Hotfixes are now
available for the following products:
* PGP Corporate Desktop v7.1 (MacOS9/Win32)
* PGP Personal Security v7.0.3 (MacOS9/Win32)
* PGP Freeware v7.0.3 (MacOS9/Win32)
* PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32)
Product upgrades are available for the following products:
* PGP E-Business Server v6.5.8x (OS/390)
* PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32)
The hotfixes and upgrades can be found at:
http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp
Network Associates/PGP Security Inc. has published the PGPsdk source
code in electronic form for academic and cryptographic peer review. The
source packages can be downloaded from:
http://www.pgp.com/downloads/default.asp
--
Patrick Oonk - PO1-6BONE - E: patrick@pine.nl - www.pine.nl/~patrick
Pine Internet - PAT31337-RIPE - Hushmail: p.oonk@my.security.nl
T: +31-70-3111010 - F: +31-70-3111011 - http://security.nl
PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF 2F64 A65C 42AE 155C 3934
Excuse of the day: disks spinning backwards - toggle the
hemisphere jumper.
