Package: mutt Version: 1.5.13-1.1 Severity: normal Tags: security [ Stealing the summary from GnuPGs announcement ]
Gerardo Richarte from Core Security Technologies identified a problem when using GnuPG in streaming mode. The problem is actually a variant of a well known problem in the way signed material is presented in a MUA. It is possible to insert additional text before or after a signed (or signed and encrypted) OpenPGP message and make the user believe that this additional text is also covered by the signature. The Core Security advisory describes several variants of the attack; they all boil down to the fact that it might not be possible to identify which part of a message is actually signed if gpg is not used correctly. Core Securities advisory: http://www.coresecurity.com/?action=item&id=1687 Announcement on the GnuPG mailinglist: http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html I was able to verify that the second way of attack variant 2 decribed by Core Security does indeed work with mutt from testing. A testcase is attached. MfG, Jö. -- System Information: Debian Release: 4.0 APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'testing'), (500, 'stable'), (1, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-k7 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8) Versions of packages mutt depends on: ii exim4 4.63-17 metapackage to ease exim MTA (v4) ii exim4-daemon-light [mail- 4.63-17 lightweight exim MTA (v4) daemon ii libc6 2.3.6.ds1-11 GNU C Library: Shared libraries ii libdb4.4 4.4.20-8 Berkeley v4.4 Database Libraries [ ii libgnutls13 1.4.4-3 the GNU TLS library - runtime libr ii libidn11 0.6.5-1 GNU libidn library, implementation ii libncursesw5 5.5-5 Shared libraries for terminal hand ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library Versions of packages mutt recommends: ii locales 2.3.6.ds1-11 GNU C Library: National Language ( ii mime-support 3.39-1 MIME files 'mime.types' & 'mailcap -- no debconf information -- It is my conviction that killing under the cloak of war is nothing but an act of murder. -- Albert Einstein
From [EMAIL PROTECTED] Tue Mar 06 16:01:20 2007
Return-path: <[EMAIL PROTECTED]>
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Tue, 06 Mar 2007 16:01:20 +0100
Received: from joe by jupiter.planets with local (Exim 4.63)
(envelope-from <[EMAIL PROTECTED]>)
id 1HObAG-0006ZJ-IK
for [EMAIL PROTECTED]; Tue, 06 Mar 2007 16:01:20 +0100
Date: Tue, 6 Mar 2007 16:01:20 +0100
From: =?iso-8859-1?Q?J=F6?= Fahlke <[EMAIL PROTECTED]>
To: =?iso-8859-1?Q?J=F6?= <[EMAIL PROTECTED]>
Subject: test
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.13 (2006-08-11)
Status: RO
Content-Length: 338
Lines: 9
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.6 (GNU/Linux)
yyxiAEXtit5UaGlzIHRleHQgaXMgaW5zZXJ0ZWQgYnkgdGhlIGF0dGFja2Vy
CsiGAnicO8LLzMDEKGQCgYynDZI48osy0zPzEnMYgCAkI7NYoSS1okQBSGfm
KSTnpCYW6Sgk5qUoFGem56Wm6HXYM7Myur7t6v02x6bc7/2V14JMSYUMcwUb
Hxk+cCkVjz+vPvdv2qyNj/pZNjDMd2PdqOe4XeCosZSZnVrzvBeFGgbJAHLp
LjI=
-----END PGP MESSAGE-----
signature.asc
Description: Digital signature
