[16373] in bugtraq
SERIOUS PGP BUG!
daemon@ATHENA.MIT.EDU (Phosgene)
Thu Aug 24 12:13:55 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.NEB.4.10.10008241020110.29902-100000@setec.org>
Date: Thu, 24 Aug 2000 10:28:51 -0400
Reply-To: Phosgene <phosgene@SETEC.ORG>
From: Phosgene <phosgene@SETEC.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000823211011.G24198@mandrakesoft.com>
In case you have not heard there is a serious bug in some versions of PGP
related to additonal decryption keys (ADK).
For more information look at John Young's site which details some of this:
http://cryptome.org/pgp-badbug.htm
Quoting from an email on the site:
"Tested versions of PGP:
PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
PGP-5.0i UNIX (not vulnerable)
PGP-5.5.3i WINDOWS (VULNERABLE)
PGP-6.5.1i WINDOWS (VULNERABLE)
GnuPG-1.0.1 UNIX (not vulnerable)"
A paper detailing an aspect of the vulnerability is written by Ralf
Senderek: http://senderek.de/security/key-experiments.html and his student
Stephen Early <Stephen.Early@cl.cam.ac.uk> seems to have worked on
detailing this vulnerability as well on the ukcrypto mailing list.
Phosgene
