Re: To Mutt Developers 2007-03-08 <E1HPQzN-000061-Vi@xxxxxxxxxxxxxxxxxxxx> > Responsible-Changed-From-To: gnats-admin->mutt-dev > Responsible-Changed-By: cb Sorry I messed up... Christoph -- cb@xxxxxxxx | http://www.df7cb.de/
--- Begin Message ---
- To: Mutt Bugs <bug-any@xxxxxxxxxxxxx>
- Subject: GnuPG and GnuPG clients unsigned data injection vulnerability
- From: Christoph Berg <cb@xxxxxxxx>
- Date: Thu, 8 Mar 2007 23:13:32 +0100
- User-agent: Mutt/1.5.14+cvs20070301 (2007-02-28)
Forwarding #413688 here as well... The attached mbox is available at http://bugs.debian.org/413688. ----- Forwarded message from Jö Fahlke <jorrit@xxxxxxxxx> ----- Date: Tue, 6 Mar 2007 17:01:33 +0100 From: Jö Fahlke <jorrit@xxxxxxxxx> Reply-To: Jö Fahlke <jorrit@xxxxxxxxx>, 413688@xxxxxxxxxxxxxxx To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx> Subject: Bug#413688: mutt: GnuPG and GnuPG clients unsigned data injection vulnerability Package: mutt Version: 1.5.13-1.1 Severity: normal Tags: security [ Stealing the summary from GnuPGs announcement ] Gerardo Richarte from Core Security Technologies identified a problem when using GnuPG in streaming mode. The problem is actually a variant of a well known problem in the way signed material is presented in a MUA. It is possible to insert additional text before or after a signed (or signed and encrypted) OpenPGP message and make the user believe that this additional text is also covered by the signature. The Core Security advisory describes several variants of the attack; they all boil down to the fact that it might not be possible to identify which part of a message is actually signed if gpg is not used correctly. Core Securities advisory: http://www.coresecurity.com/?action=item&id=1687 Announcement on the GnuPG mailinglist: http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html I was able to verify that the second way of attack variant 2 decribed by Core Security does indeed work with mutt from testing. A testcase is attached. MfG, Jö. ----- End forwarded message ----- Christoph -- cb@xxxxxxxx | http://www.df7cb.de/
--- End Message ---
Attachment:
signature.asc
Description: Digital signature