<<< Date Index >>>     <<< Thread Index >>>

OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier



To: announce@xxxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx 
full-disclosure@xxxxxxxxxxxxxxxx security-alerts@xxxxxxxxxxxxxxxxx
To: kirkl@xxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier
Advisory number:        CSSA-2003-034.0
Issue date:             2003 November 17
Cross reference:        sr883602 fz528211 erg712405 CAN-2003-0255
______________________________________________________________________________


1. Problem Description

        As part of the development of GnuPG 1.2.2, a bug was
        discovered in the key validation code. This bug causes keys
        with more than one user ID to give all user IDs on the key
        the amount of validity given to the most-valid key.

        CAN-2003-0255 The key validation code in GnuPG before 1.2.2
        does not properly determine the validity of keys with
        multiple user IDs and assigns the greatest validity of the
        most valid user ID, which prevents GnuPG from warning the
        encrypting user when a user ID does not have a trusted path.

        The Common Vulnerabilities and Exposures (CVE) project has
        assigned the name CAN-2003-0255 to this issue. This is a
        candidate for inclusion in the CVE list (http://cve.mitre.org),
        which standardizes names for security problems.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------
        OpenLinux 3.1.1 Server          prior to gnupg-1.2.2-1.i386.rpm
        OpenLinux 3.1.1 Workstation     prior to gnupg-1.2.2-1.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-034.0/RPMS

        4.2 Packages

        d6da27be5c407641dc29f753d96e41fc        gnupg-1.2.2-1.i386.rpm

        4.3 Installation

        rpm -Fvh gnupg-1.2.2-1.i386.rpm

        4.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-034.0/SRPMS

        4.5 Source Packages

        b1ab55790186abd7997af751b3032721        gnupg-1.2.2-1.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-034.0/RPMS

        5.2 Packages

        5469dcefe0be50d4d99d4b925a58d453        gnupg-1.2.2-1.i386.rpm

        5.3 Installation

        rpm -Fvh gnupg-1.2.2-1.i386.rpm

        5.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-034.0/SRPMS

        5.5 Source Packages

        be6338d319f84f139e8363f64bc6673a        gnupg-1.2.2-1.src.rpm


6. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0255


        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr883602 fz528211
        erg712405.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


8. Acknowledgements

        SCO would like to thank The GnuPG Team (David, Stefan, Timo and Werner)

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj+5JjYACgkQbluZssSXDTGX9gCg++EK6pUrwQRfZl54wqUCinB8
itcAniMWmXByl7LyjfSP4chsEK2RcfXa
=nik3
-----END PGP SIGNATURE-----