Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Microsoft's Over Zealous Anti-Virus | Main | Pump and Dump Schemes Shut Down »

Data Injection Vulnerability in GnuPG

Core Security Technologies has issued an advisory about GnuPG (GnuPG and GnuPG clients unsigned data injection vulnerability
). Gerardo Richarte of Core Security Technologies has found that GnuPG and GnuPG clients are vulnerable to an unsigned data injection attack. According to the advisory:

An attacker is able to add arbitrary content to a signed message. The receiver of the message (using a mail client such as Enigmail to read the message) will not be able to distinguish the forged and the properly signed parts of the message.

The vulnerability stems from the feature of OpenPGP that allows for multiple portions of a message, some of which are signed and some of which are not signed.

The advisory stresses that this is not a cryptographic problem but a problem with how the message is displayed ot the user.

A number of applications are affected, including: GnuPG, Enigmail, Kmail, Evolution, Sylpheed, Mutt, and GnuMail.

The vulnerability has been fixed in GnuPG 1.4.7 and GPGME 1.1.4. For earlier versions, a patch is available at http://www.gnupg.org/download/

Tags:    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on March 9, 2007 7:53 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/248

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net