lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030504013525.GA10689@jabberwocky.com>
Date: Sat, 3 May 2003 21:35:26 -0400
From: David Shaw <dshaw@...berwocky.com>
To: bugtraq@...urityfocus.com
Cc: gnupg-announce@...pg.org
Subject: Key validity bug in GnuPG 1.2.1 and earlier

As part of the development of GnuPG 1.2.2, a bug was discovered in the
key validation code.  This bug causes keys with more than one user ID
to give all user IDs on the key the amount of validity given to the
most-valid key.

This bug does not impact any key with only one user ID.  Photo IDs
("user attribute IDs") do not count as an additional user ID for the
purposes of this bug.

For example, given a key with two user IDs:
   Alice <alice@...mple.com>
and
   Alice's other address <alice@...p.example.net>

If the encrypting user has a trust path to to the ID
alice@...mple.com, then this ID is fully valid, and there is no
warning message when encrypting to alice@...mple.com.

If the encrypting user has either an insufficient or no trust path to
the ID "alice@...p.example.net", then that ID is either not fully
valid, or not valid at all respectively.  There should be a warning
message given when encrypting to this other user ID ("it is not
certain this key belongs to the user named in the user ID / do you
want to encrypt to it anyway?"), but due to the bug, the invalid user
ID is accepted as valid and no warning message is given.

This bug has been fixed in the newly released GnuPG 1.2.2, and
upgrading is the recommended fix for this problem.  For those who
cannot upgrade for whatever reason, the attached patch fixes the
problem as well.  The patch should apply (perhaps with some offsets)
to GnuPG 1.2,1, 1.2.0, or 1.0.7.  Note that GnuPG 1.0.6 (and possibly
earlier) versions have the same problem, but these versions are too
old to successfully apply the patch.  If you are using GnuPG 1.0.6 or
earlier versions, please upgrade.

The GnuPG Team (David, Stefan, Timo and Werner)


View attachment "patch-gnupg-1.2.1-trustfix.txt" of type "text/plain" (4716 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ