GnuPG Private Key Silent Import

2000-12-20T07:53:45
ID OSVDB:1702
Type osvdb
Reporter Florian Weimer(fw@deneb.enyo.de)
Modified 2000-12-20T07:53:45

Description

Vulnerability Description

GnuPG contains a flaw that may allow a malicious user to compromise the web of trust. The issue is triggered when the user retrieves keys from a public keyserver. GnuPG will import private keys as well as public ones, and will not warn the user about the import of private keys. An attacker can upload a private key to the keyserver as well as a public one, with malicious intent. Since private keys are implicitly trusted, it is possible that the flaw may allow a change in the trust relationships of the web of trust, resulting in a loss of integrity.

Solution Description

Upgrade to version 1.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

GnuPG contains a flaw that may allow a malicious user to compromise the web of trust. The issue is triggered when the user retrieves keys from a public keyserver. GnuPG will import private keys as well as public ones, and will not warn the user about the import of private keys. An attacker can upload a private key to the keyserver as well as a public one, with malicious intent. Since private keys are implicitly trusted, it is possible that the flaw may allow a change in the trust relationships of the web of trust, resulting in a loss of integrity.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-12/0347.html ISS X-Force ID: 5803 CVE-2001-0072 Bugtraq ID: 2153