bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of...

Design/Logic Flaw

PGP Desktop 10.0.x before 10.0.3 SP2 and 10.1.0 before 10.1.0 SP1 does not properly implement the "Decrypt/Verify File via Right-Click" functionality for multi-packet OpenPGP messages that represent multi-message input, which allows remote attackers to spoof signed data by concatenating an...

GnuPG and GnuPG clients unsigned data injection vulnerability

Advisory ID Internal CORE-2007-0115 Date Published: 2007-03-05 Last Update: 2007-03-05 Advisory ID: CORE-2007-0115 Bugtraq IDs: BID 22757 - GnuPG BID 22758 - Enigmail BID 22759 - KMail BID 22760 - Evolution BID 22777 - Sylpheed BID 22778 - Mutt BID 22779 - GNUMail CVE Names: CVE-2007-1263 for the...

CVE-2006-0049

gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different...