GnuPG Multiple Userid Key Validity

2003-05-03T20:35:26
ID OSVDB:4947
Type osvdb
Reporter David Shaw(dshaw@jabberwocky.com)
Modified 2003-05-03T20:35:26

Description

Vulnerability Description

GnuPG versions prior to 1.2.2 handle trust relationships of multiple userids bound to a single key incorrectly. If a key has more than one userid, all userids assume the validity of the most valid userid, rather than applying the relevant trust path to each userid individually.

Technical Description

The trust relationship between an encrypting user and the userid they are encrypting to is dictated by a trust path. In cases where a key has more than one userid associated with it, each userid should have its own independent trust path (or lack thereof) to the encrypting party.

Let us suppose that there is a GnuPG key with the userid spamtrap@example.net bound to it, and the userid spamtrap@osvdb.org also bound to it. Let us further suppose that the encrypting party has a sufficient trust path to spamtrap@osvdb.org, and no trust path to spamtrap@example.net. The correct behaviour should be that the userid spamtrap@osvdb.org is fully valid for that encrypting party, and there will be no warning message displayed when encrypting to the spamtrap@osvdb.org userid. However, the userid spamtrap@example.net is not fully valid, and a warning message should be displayed when encrypting to that userid. Instead, if there is one fully valid userid for a given key, no warning messages will be displayed when encrypting to any userid bound to that key. So, in this case, encrypting to spamtrap@osvdb.org and encrypting to spamtrap@example.net would both succeed without a warning message.

Keys with only one userid bound to them are not affected by this vulnerability.

Solution Description

Upgrade to version 1.2.2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the patch provided by the vendor for versions 1.2.1, 1.2.0, and 1.0.7. Versions 1.0.6 and older must upgrade.

Short Description

GnuPG versions prior to 1.2.2 handle trust relationships of multiple userids bound to a single key incorrectly. If a key has more than one userid, all userids assume the validity of the most valid userid, rather than applying the relevant trust path to each userid individually.

References:

Vendor URL: http://www.gnupg.org/ Vendor Specific Solution URL: http://archives.neohapsis.com/archives/bugtraq/2003-05/att-0062/patch-gnupg-1.2.1-trustfix.txt Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL RedHat RHSA: RHSA-2003:175 RedHat RHSA: RHSA-2003:176 Nessus Plugin ID:14044 Nessus Plugin ID:12396 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-05/0062.html Keyword: PGP Keyword: Crypto ISS X-Force ID: 11930 CVE-2003-0255 CERT VU: 397604 Bugtraq ID: 7497