Computer Security
[EN] securityvulns.ru no-pyccku


Unsigned content spoofing in multiple application launching GnuPG
Published:06.03.2007
Source:
SecurityVulns ID:7351
Type:client
Threat Level:
6/10
Description:Signed text boundaries are incorrectly shown or not shown, making it's possible to insert unsigned packets.
Affected:MUTT : mutt 1.5
 GNU : GnuPG 1.4
 KDE : KMail 1.9
 ENIGMAIL : Enigmail 0.94
 GNOME : Evolution 2.8
 SYLPHEED : Sylpheed 2.2
 GNUMAIL : GNUMail 1.1
CVE:CVE-2007-1269 (GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1268 (Mutt 1.5.13 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Mutt from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1267 (Sylpheed 2.2.7 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Sylpheed from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1266 (Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1265 (KMail 1.9.5 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents KMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1264 (Enigmail 0.94.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Enigmail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1263 (GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.)
Original documentdocumentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability (06.03.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod