GnuPG will import private keys along with public keys
| gnupg-reveal-private (5803) |  Medium Risk |
Description:
GNU Privacy Guard (GnuPG or GPG) could allow a remote attacker to corrupt the user's Web of trust, by importing private keys from untrusted sources. GnuPG imports private keys along with public keys when importing keys from a public key server. A remote attacker could exploit this vulnerability by uploading a public and private key to a certificate authority or key server.
Consequences:
Remedy:
For Red Hat Linux 6.2 and 7.0:
Upgrade to the latest version of GnuPG (1.0.4-8.6 or later), as listed in RHSA-2000:131-02. See References.
For Linux Mandrake 7.0 and 7.1:
Upgrade to the latest version of GnuPG (1.0.4-3.2 or later), as listed in MandrakeSoft Security Advisory MDKSA-2000:087 : gnupg. See References.
For Linux-Mandrake 7.2:
Upgrade to the latest version of GnuPG (1.0.4-3.1 or later), as listed in MandrakeSoft Security Advisory MDKSA-2000:087 : gnupg. See References.
For Trustix Secure Linux 1.0, 1.1, and 1.2:
Upgrade to the latest version of GnuPG (1.0.4-4tr or later), as listed in Trustix Security Advisory - gnupg, ftpd-BSD. See References.
For Debian Linux 2.2 (potato):
Upgrade to the latest version of gnupg (1.0.4-1.1 or later), as listed in Debian Security Advisory 20001225b. See References.
For Immunix OS 6.2, 7.0 and 7.0-beta:
Upgrade to the latest version of gnupg (1.0.5-2 or later), as listed in Immunix OS Security Advisory IMNX-2001-70-018-01. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- BugTraq Mailing List, Wed Dec 20 2000 - 07:53:45 CST: Trustix Security Advisory - gnupg, ftpd-BSD.
- Immunix OS Security Advisory IMNX-2001-70-018-01: gnupg.
- MandrakeSoft Security Advisory MDKSA-2000:087: gnupg.
- BID-2153: GnuPG Silent Import of Secret Keys Vulnerability
- CVE-2001-0072: gpg (aka GnuPG) 1.0.4 and other versions imports both public and private keys from public key servers without notifying the user about the private keys, which could allow an attacker to break the web of trust.
- OSVDB ID: 1702: GnuPG Private Key Silent Import
- RHSA-2000-131: Updated gnupg packages now available
Platforms Affected:
- GNU Privacy Guard 1.0
- GNU Privacy Guard 1.0.1
- GNU Privacy Guard 1.0.2
- GNU Privacy Guard 1.0.3
- RedHat Linux 6.2
- RedHat Linux 7
- RedHat Linux 7.1
- RedHat Linux 7.2
- RedHat Linux 7.3
Reported:
Dec 20, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this