Vulnerability Note VU#397604
GnuPG contains flaw in key validation code
A vulnerability in GnuPG may cause keys with multiple user ID's to give other user IDs on the key a false amount of validity.
From the GnuPG homepage:
GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc.
A user encrypting a message using GnuPG may not be warned if the target user key being encrypted to has an "insufficient or no trust path".
Apply a patch from your vendor. If a patch is not available, you may wish to apply the patch produced by the GnuPG team.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Conectiva||Affected||-||14 Jul 2003|
|Free Software Foundation||Affected||-||20 May 2003|
|Guardian Digital Inc.||Affected||-||20 May 2003|
|OpenPKG||Affected||-||20 May 2003|
|Red Hat Inc.||Affected||-||21 May 2003|
|Slackware||Affected||-||22 May 2003|
CVSS Metrics (Learn More)
This vulnerability was discovered by the GnuPG Team. The CERT/CC thanks the GnuPG Team for providing information upon which this document is based.
This document was written by Ian A Finlay.
- CVE IDs: CAN-2003-0255
- Date Public: 03 May 2003
- Date First Published: 20 May 2003
- Date Last Updated: 14 Jul 2003
- Severity Metric: 6.75
- Document Revision: 10
If you have feedback, comments, or additional information about this vulnerability, please send us email.