A vulnerability in GnuPG may cause keys with multiple user ID's to give other user IDs on the key a false amount of validity.
From the GnuPG homepage:
GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc.
A user encrypting a message using GnuPG may not be warned if the target user key being encrypted to has an "insufficient or no trust path".
Apply a patch from your vendor. If a patch is not available, you may wish to apply the patch produced by the GnuPG team.
This vulnerability was discovered by the GnuPG Team. The CERT/CC thanks the GnuPG Team for providing information upon which this document is based.
This document was written by Ian A Finlay.
|Date First Published:||2003-05-20|
|Date Last Updated:||2003-07-14 18:19 UTC|