CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#566640

pgp4pine fails to properly check for expired public keys

Overview

The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package.

I. Description

The program pgp4pine provides an interface for various PGP implementations to the PINE mail reading package. Version 1.75.6 of pgp4pine does not check to see if public keys are expired when loading keys from the GnuPG openPGP implementation. When a user specifies an expired public key in their key ring and attempts to encrypt a message with that expired public key, pgp4pine will not check to see if the key is expired. Instead, pgp4pine will issue a command to GnuPG to encrypt the email message with the expired key. The encryption will not be successful and GnuPG will return an error message indicating that the key is invalid. pgp4pine does not detect the error message, and does not notify the user that an error has occurred. The clear text is then returned to the program flow control of PINE. PINE will then transmit the message in clear text.

For more information, see the advisory provided by CryptNET.

II. Impact

Sensitive materials may be transmitted over the network in clear text, without the intention or knowledge of the sender.

III. Solution

No vender patch is known to exist. However, a patch is provided by CryptNET.

Validate all keys on your keyring at regular intervals. Remove expired keys.

Systems Affected

VendorStatusDate Updated
Holger LammVulnerable12-Jul-2001

References


http://www.cryptnet.net/fcp/audit/pgp4pine/01.html
http://www.securityfocus.com/bid/2405
http://xforce.iss.net/static/6135.php
http://devrandom.net/lists/archives/2001/2/Bugtraq/0383.html
http://security-archive.merton.ox.ac.uk/bugtraq-200102/0389.html
http://pgp4pine.flatline.de/

Credit

Our thanks to CryptNET, who published an advisory on this problem, available at http://www.cryptnet.net/fcp/audit/pgp4pine/01.html

This document was written by Jason Rafail.

Other Information

Date Public02/20/2001
Date First Published07/12/2001 05:01:14 PM
Date Last Updated01/15/2002
CERT Advisory 
CVE NameCAN-2001-0273
Metric0.68
Document Revision9

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2001 Carnegie Mellon University