Re: [Mutt] #2839: GnuPG and GnuPG clients unsigned data injection

[Mutt <fleas@xxxxxxxx>]

#2839: GnuPG and GnuPG clients unsigned data injection vulnerability

Changes (by brendan):

  * component:  mutt => crypto
  * milestone:  => 1.6

Old description:

> {{{
>  Forwarding #413688 here as well...
>
>  The attached mbox is available at http://bugs.debian.org/413688.
>
>  ----- Forwarded message from J=F6 Fahlke <jorrit@xxxxxxxxx> -----
>
>  Date: Tue, 6 Mar 2007 17:01:33 +0100
>  From: J=F6 Fahlke <jorrit@xxxxxxxxx>
>  Reply-To: J=F6 Fahlke <jorrit@xxxxxxxxx>, 413688@xxxxxxxxxxxxxxx
>  To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
>  Subject: Bug#413688: mutt: GnuPG and GnuPG clients unsigned data
> injectio=
>  n
>         vulnerability
>
>  Package: mutt
>  Version: 1.5.13-1.1
>  Severity: normal
>  Tags: security
>
>  [ Stealing the summary from GnuPGs announcement ]
>
>  Gerardo Richarte from Core Security Technologies identified a problem
>  when using GnuPG in streaming mode.
>
>  The problem is actually a variant of a well known problem in the way
>  signed material is presented in a MUA.  It is possible to insert
>  additional text before or after a signed (or signed and encrypted)
>  OpenPGP message and make the user believe that this additional text is
>  also covered by the signature.  The Core Security advisory describes
>  several variants of the attack; they all boil down to the fact that it
>  might not be possible to identify which part of a message is actually
>  signed if gpg is not used correctly.
>
>  Core Securities advisory:
>  http://www.coresecurity.com/?action=3Ditem&id=3D1687
>
>  Announcement on the GnuPG mailinglist:
>  http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html
>
>  I was able to verify that the second way of attack variant 2 decribed
>  by Core Security does indeed work with mutt from testing.  A testcase
>  is attached.
>
>  MfG,
>  J=F6.
>
>  ----- End forwarded message -----
>
>  Christoph
>  --=20
>  cb@xxxxxxxx | http://www.df7cb.de/
>
> >Fix:
> Unknown
> }}}

New description:

 {{{
  Forwarding #413688 here as well...

  The attached mbox is available at http://bugs.debian.org/413688.

  ----- Forwarded message from J=F6 Fahlke <jorrit@xxxxxxxxx> -----

  Date: Tue, 6 Mar 2007 17:01:33 +0100
  From: J=F6 Fahlke <jorrit@xxxxxxxxx>
  Reply-To: J=F6 Fahlke <jorrit@xxxxxxxxx>, 413688@xxxxxxxxxxxxxxx
  To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
  Subject: Bug#413688: mutt: GnuPG and GnuPG clients unsigned data
 injectio=
  n
         vulnerability

  Package: mutt
  Version: 1.5.13-1.1
  Severity: normal
  Tags: security

  [ Stealing the summary from GnuPGs announcement ]

  Gerardo Richarte from Core Security Technologies identified a problem
  when using GnuPG in streaming mode.

  The problem is actually a variant of a well known problem in the way
  signed material is presented in a MUA.  It is possible to insert
  additional text before or after a signed (or signed and encrypted)
  OpenPGP message and make the user believe that this additional text is
  also covered by the signature.  The Core Security advisory describes
  several variants of the attack; they all boil down to the fact that it
  might not be possible to identify which part of a message is actually
  signed if gpg is not used correctly.

  Core Securities advisory:
  http://www.coresecurity.com/?action=3Ditem&id=3D1687

  Announcement on the GnuPG mailinglist:
  http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html

  I was able to verify that the second way of attack variant 2 decribed
  by Core Security does indeed work with mutt from testing.  A testcase
  is attached.

  MfG,
  J=F6.

  ----- End forwarded message -----

  Christoph
  --=20
  cb@xxxxxxxx | http://www.df7cb.de/

 >Fix:
 Unknown
 }}}

Comment:

 Must be properly assessed before 1.6.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2839#comment:2>