Computer Security

Unsigned content spoofing in multiple application launching GnuPG
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Unsigned content spoofing in multiple application launching GnuPG
Published:06.03.2007
Source:BUGTRAQ
SecurityVulns ID:7351
Type:client
Level:6/10
Description:Signed text boundaries are incorrectly shown or not shown, making it's possible to insert unsigned packets.
Affected:MUTT : Mutt 1.5
 GNUPG : GnuPG 1.4
 KDE : KMail 1.9
 ENIGMAIL : Enigmail 0.94
 GNOME : Evolution 2.8
 SYLPHEED : Sylpheed 2.2
 GNUMAIL : GNUMail 1.1
CVE:CVE-2007-1269 (GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1268 (Mutt 1.5.13 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Mutt from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1267 (Sylpheed 2.2.7 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Sylpheed from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1266 (Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1265 (KMail 1.9.5 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents KMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1264 (Enigmail 0.94.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Enigmail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1263 (GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.)
Original documentdocumentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability (06.03.2007)
Discuss:Read or add your comments to this news (0 comments)
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru