[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security flaw in PGPverify of INN

To: [email protected]
Subject: Security flaw in PGPverify of INN
From: Lutz Donnerhacke <[email protected]>
Date: Wed, 15 Oct 1997 01:29:56 +0100
Sender: [email protected]

Hi,

I was urged to send you the following information. I noticed CERT and tale
itself. But tale claims that the problem is not a problem of pgpverify, it's
a problem of some krauts trying to send checkgroups monthly using a bot.

The checkgroups mentioned were send since a year. They do not include Date:
and Message-ID: because these values were not predictable by the human
signer and the bot does not know the passphrase to work with.

In consequence there are checkgroups out there which can be resend at any
time causing a lot of trouble, because the signature is still valid even if
a new Message-ID: and Date: line are used.

The obvious fix is to modify pgpverify to block such control messages.
ftp://ftp.iks-jena.de/pub/mitarb/lutz/ contains the necessary fixes.

HTH

Content-Type: application/pgp-signature

Untitled

Prev by Date: Just say "Huh?" to key recovery concerns...keep OpenPGP pure
Next by Date: Equal rights for receivers
Prev by thread: Re: Technical Description of PGP 5.5
Next by thread: Equal rights for receivers
Index(es):
- Date
- Thread