CVE-2007-1263

Related Files

Debian Linux Security Advisory 1266-1

Posted Mar 14, 2007

Authored by Debian | Site debian.org

Debian Security Advisory 1266-1 - Gerardo Richarte discovered that GnuPG, a free PGP replacement, provides insufficient user feedback if an OpenPGP message contains both unsigned and signed portions. Inserting text segments into an otherwise signed message could be exploited to forge the content of signed messages. This update prevents such attacks; the old behaviour can still be activated by passing the --allow-multiple-messages option.

tags | advisory

systems | linux, debian

advisories | CVE-2007-1263

SHA-256 | ff2d443868ea9134e4a2821505f07b5d67eda9514390877c76d2ba1676c1cae7

Download | Favorite | View

Ubuntu Security Notice 432-2

Posted Mar 14, 2007

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 432-2 - USN-432-1 fixed a vulnerability in GnuPG. This update provides the corresponding updates for GnuPG2 and the GPGME library. Gerardo Richarte from Core Security Technologies discovered that when gnupg is used without --status-fd, there is no way to distinguish initial unsigned messages from a following signed message. An attacker could inject an unsigned message, which could fool the user into thinking the message was entirely signed by the original sender.

tags | advisory

systems | linux, ubuntu

advisories | CVE-2007-1263

SHA-256 | efd10c3a5bbef4bde937cd14206a894698209116719ed31936c3fa38bf151dd0

Download | Favorite | View

Mandriva Linux Security Advisory 2007.059

Posted Mar 13, 2007

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - GnuPG prior to 1.4.7 and GPGME prior to 1.1.4, when run from the command line, did not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components. This could allow a remote attacker to forge the contents of an email message without detection.

tags | advisory, remote

systems | linux, mandriva

advisories | CVE-2007-1263

SHA-256 | b5f3387c0e15f3e5caa78f0a24fad853f5e06d5408aa866da22a14bd113d045a

Download | Favorite | View

Ubuntu Security Notice 432-1

Posted Mar 9, 2007

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 432-1 - Gerardo Richarte from Core Security Technologies discovered that when gnupg is used without --status-fd, there is no way to distinguish initial unsigned messages from a following signed message. An attacker could inject an unsigned message, which could fool the user into thinking the message was entirely signed by the original sender.

tags | advisory

systems | linux, ubuntu

advisories | CVE-2007-1263

SHA-256 | b20afc54d5ee0271c49512ca07738acf7c820aafc428e8929919d4c440074d7c

Download | Favorite | View

Core Security Technologies Advisory 2007.0115

Posted Mar 8, 2007

Authored by Core Security Technologies, Gerardo Richarte | Site coresecurity.com

Core Security Technologies Advisory - GnuPG and GnuPG clients suffer from an unsigned data injection vulnerability.

tags | advisory

advisories | CVE-2007-1263, CVE-2007-1264, CVE-2007-1265, CVE-2007-1266, CVE-2007-1267, CVE-2007-1268, CVE-2007-1269

SHA-256 | 105bc292cde7181a51838486efb114fc2b42ca52c8eb7401d9334c18e0c47625

Download | Favorite | View