Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection

To: Mutt Developers <mutt-dev@xxxxxxxx>
Subject: Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection
From: Christoph Berg <cb@xxxxxxxx>
Date: Thu, 8 Mar 2007 23:28:33 +0100
In-reply-to: <E1HPQzN-000061-Vi@xxxxxxxxxxxxxxxxxxxx>
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?Subject="Unsubscribe Mutt Dev"?body=unsubscribe>
Mail-followup-to: Mutt Developers <mutt-dev@xxxxxxxx>
References: <mutt-pr-2839@xxxxxxxxxxxxx> <E1HPQzN-000061-Vi@xxxxxxxxxxxxxxxxxxxx>
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Mutt/1.5.14+cvs20070301 (2007-02-28)

Re: To Mutt Developers 2007-03-08 <E1HPQzN-000061-Vi@xxxxxxxxxxxxxxxxxxxx>
> Responsible-Changed-From-To: gnats-admin->mutt-dev
> Responsible-Changed-By: cb

Sorry I messed up...

Christoph
-- 
cb@xxxxxxxx | http://www.df7cb.de/

--- Begin Message ---

To: Mutt Bugs <bug-any@xxxxxxxxxxxxx>
Subject: GnuPG and GnuPG clients unsigned data injection vulnerability
From: Christoph Berg <cb@xxxxxxxx>
Date: Thu, 8 Mar 2007 23:13:32 +0100
User-agent: Mutt/1.5.14+cvs20070301 (2007-02-28)

Forwarding #413688 here as well...

The attached mbox is available at http://bugs.debian.org/413688.

----- Forwarded message from Jö Fahlke <jorrit@xxxxxxxxx> -----

Date: Tue, 6 Mar 2007 17:01:33 +0100
From: Jö Fahlke <jorrit@xxxxxxxxx>
Reply-To: Jö Fahlke <jorrit@xxxxxxxxx>, 413688@xxxxxxxxxxxxxxx
To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
Subject: Bug#413688: mutt: GnuPG and GnuPG clients unsigned data injection
        vulnerability

Package: mutt
Version: 1.5.13-1.1
Severity: normal
Tags: security

[ Stealing the summary from GnuPGs announcement ]

Gerardo Richarte from Core Security Technologies identified a problem
when using GnuPG in streaming mode.

The problem is actually a variant of a well known problem in the way
signed material is presented in a MUA.  It is possible to insert
additional text before or after a signed (or signed and encrypted)
OpenPGP message and make the user believe that this additional text is
also covered by the signature.  The Core Security advisory describes
several variants of the attack; they all boil down to the fact that it
might not be possible to identify which part of a message is actually
signed if gpg is not used correctly.

Core Securities advisory:
http://www.coresecurity.com/?action=item&id=1687

Announcement on the GnuPG mailinglist:
http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html

I was able to verify that the second way of attack variant 2 decribed
by Core Security does indeed work with mutt from testing.  A testcase
is attached.

MfG,
Jö.

----- End forwarded message -----

Christoph
-- 
cb@xxxxxxxx | http://www.df7cb.de/

--- End Message ---

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection
  - From: TAKAHASHI Tamotsu

References:
- Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection vulnerability
  - From: Christoph Berg

Prev by Date: Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection vulnerability
Next by Date: Re: imap/2837: MYRIGHTS not understood by Mirapoint IMAP4PROXY
Previous by thread: Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection vulnerability
Next by thread: Re: mutt/2839: GnuPG and GnuPG clients unsigned data injection
Index(es):
- Date
- Thread