When encoding trumps encryption (or: the latest GnuPG issue)

Published: 2007-03-06
Last Updated: 2007-03-07 12:39:48 UTC
by Arrigo Triulzi (Version: 1)
0 comment(s)
The latest GnuPG security advisory is, in the specific case of GnuPG, more of a "Human-Computer Interaction" than a security hole proper. The flaw is not in the encryption but in the way in which OpenPGP, a standard way of transmitting PGP-encrypted data, is interpreted by GnuPG "helpers" such as Enigmail and mail programs such as Evolution, KMail, etc.

An OpenPGP-compliant message can be made up of multiple sections, not all of which need to be signed or encrypted. The "helpers" and mail software do not use the GnuPG API correctly to interpret where the sections start and end leading to something called "injection" which is a fancy name for "adding untrusted data which is undetectable from trusted data".

Translated: you see the pretty icon telling you that the whole message is encrypted and signed whereas there is a section of it (text, image, binary, whatever) which isn't.

What if you use GnuPG "raw"? Well, the visual cues are insufficient even for an advanced user and this is why a new release of GnuPG is being distributed and relevant CVE numbers were issued.

To give you an idea of the extent of the issue here are the CVE numbers:
  • CVE-2007-1263 - for the visual distinction issues in GnuPG itself, all 4 attacks.
  • CVE-2007-1264 - Enigmail improper use of --status-fd
  • CVE-2007-1265 - KMail improper or non-existing use of --status-fd
  • CVE-2007-1266 - Evolution improper or non-existing use of --status-fd
  • CVE-2007-1267 - Sylpheed improper or non-existing use of --status-fd
  • CVE-2007-1268 - Mutt improper or non-existing use of --status-fd
  • CVE-2007-1269 - GNUMail improper or non-existing use of --status-fd
Please note that the list is not exhaustive, for example I use GPGMail for Apple's Mail.app and I am yet to test if it is vulnerable.
0 comment(s)
Diary Archives