Vulnerability Note VU#397604

GnuPG contains flaw in key validation code

Original Release date: 20 May 2003 | Last revised: 14 Jul 2003

Overview

A vulnerability in GnuPG may cause keys with multiple user ID's to give other user IDs on the key a false amount of validity.

Description

From the GnuPG homepage:

    GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc.

A vulnerability in GnuPG may cause keys with multiple user ID's to give other user IDs on the key a false amount of validity. From the GnuPG announcement:
    As part of the development of GnuPG 1.2.2, a bug was discovered in the key validation code. This bug causes keys with more than one user ID to give all user IDs on the key the amount of validity given to the most-valid key.

Impact

A user encrypting a message using GnuPG may not be warned if the target user key being encrypted to has an "insufficient or no trust path".

Solution

Apply a patch from your vendor. If a patch is not available, you may wish to apply the patch produced by the GnuPG team.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ConectivaAffected-14 Jul 2003
Free Software FoundationAffected-20 May 2003
Guardian Digital Inc. Affected-20 May 2003
OpenPKGAffected-20 May 2003
Red Hat Inc.Affected-21 May 2003
SlackwareAffected-22 May 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by the GnuPG Team. The CERT/CC thanks the GnuPG Team for providing information upon which this document is based.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2003-0255
  • Date Public: 03 May 2003
  • Date First Published: 20 May 2003
  • Date Last Updated: 14 Jul 2003
  • Severity Metric: 6.75
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.