<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection



Re: To Mutt Developers 2007-03-08 <E1HPQzN-000061-Vi@xxxxxxxxxxxxxxxxxxxx>
> Responsible-Changed-From-To: gnats-admin->mutt-dev
> Responsible-Changed-By: cb

Sorry I messed up...

Christoph
-- 
cb@xxxxxxxx | http://www.df7cb.de/
--- Begin Message ---
Forwarding #413688 here as well...

The attached mbox is available at http://bugs.debian.org/413688.

----- Forwarded message from Jö Fahlke <jorrit@xxxxxxxxx> -----

Date: Tue, 6 Mar 2007 17:01:33 +0100
From: Jö Fahlke <jorrit@xxxxxxxxx>
Reply-To: Jö Fahlke <jorrit@xxxxxxxxx>, 413688@xxxxxxxxxxxxxxx
To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
Subject: Bug#413688: mutt: GnuPG and GnuPG clients unsigned data injection
        vulnerability

Package: mutt
Version: 1.5.13-1.1
Severity: normal
Tags: security

[ Stealing the summary from GnuPGs announcement ]

Gerardo Richarte from Core Security Technologies identified a problem
when using GnuPG in streaming mode.

The problem is actually a variant of a well known problem in the way
signed material is presented in a MUA.  It is possible to insert
additional text before or after a signed (or signed and encrypted)
OpenPGP message and make the user believe that this additional text is
also covered by the signature.  The Core Security advisory describes
several variants of the attack; they all boil down to the fact that it
might not be possible to identify which part of a message is actually
signed if gpg is not used correctly.

Core Securities advisory:
http://www.coresecurity.com/?action=item&id=1687

Announcement on the GnuPG mailinglist:
http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html

I was able to verify that the second way of attack variant 2 decribed
by Core Security does indeed work with mutt from testing.  A testcase
is attached.

MfG,
Jö.

----- End forwarded message -----

Christoph
-- 
cb@xxxxxxxx | http://www.df7cb.de/

--- End Message ---

Attachment: signature.asc
Description: Digital signature