SERIOUS PGP BUG!

Dave Dittrich dittrich at cac.washington.edu
Sat Aug 26 09:15:16 PDT 2000 

For those who use PGP for encrypting email traffic:  Here are details on
the vulnerability that CERT mentioned last week.

--
Dave Dittrich                           Computing & Communications
dittrich at cac.washington.edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Thu, 24 Aug 2000 10:28:51 -0400
Subject: SERIOUS PGP BUG!
From: Phosgene <phosgene at SETEC.ORG>
To: BUGTRAQ at SECURITYFOCUS.COM

In case you have not heard there is a serious bug in some versions of PGP
related to additonal decryption keys (ADK).
For more information look at John Young's site which details some of this:
http://cryptome.org/pgp-badbug.htm

Quoting from an email on the site:

"Tested versions of PGP:
PGP-2.6.3ia UNIX   (not vulnerable - doesn't support V4 signatures)
PGP-5.0i UNIX      (not vulnerable)
PGP-5.5.3i WINDOWS (VULNERABLE)
PGP-6.5.1i WINDOWS (VULNERABLE)
GnuPG-1.0.1 UNIX   (not vulnerable)"

A paper detailing an aspect of the vulnerability is written by Ralf
Senderek: http://senderek.de/security/key-experiments.html and his student
Stephen Early <Stephen.Early at cl.cam.ac.uk> seems to have worked on
detailing this vulnerability as well on the ukcrypto mailing list.

Phosgene




---------- Forwarded message ----------
Date: Sat, 26 Aug 2000 09:59:20 +1000
Subject: Re: SERIOUS PGP BUG!
From: Howard Lowndes <lannet at LANNET.COM.AU>
To: BUGTRAQ at SECURITYFOCUS.COM

Just to add to this:

PGP-6.5.1i for UNIX is vulnerable

--
Howard.
______________________________________________________
LANNet Computing Associates <http://www.lannet.com.au>

On Thu, 24 Aug 2000, Phosgene wrote:

> In case you have not heard there is a serious bug in some versions of PGP
> related to additonal decryption keys (ADK).
> For more information look at John Young's site which details some of this:
> http://cryptome.org/pgp-badbug.htm
>
> Quoting from an email on the site:
>
> "Tested versions of PGP:
> PGP-2.6.3ia UNIX   (not vulnerable - doesn't support V4 signatures)
> PGP-5.0i UNIX      (not vulnerable)
> PGP-5.5.3i WINDOWS (VULNERABLE)
> PGP-6.5.1i WINDOWS (VULNERABLE)
> GnuPG-1.0.1 UNIX   (not vulnerable)"
>
> A paper detailing an aspect of the vulnerability is written by Ralf
> Senderek: http://senderek.de/security/key-experiments.html and his student
> Stephen Early <Stephen.Early at cl.cam.ac.uk> seems to have worked on
> detailing this vulnerability as well on the ukcrypto mailing list.
>
> Phosgene
>

More information about the Linux mailing list