Software

GnuPG and GPGME message signing flaw

According to an announcement at gnupg.org, a problem exists when using GnuPG and GPGME to create attached signatures in email messages.  According to Gerardo Richarte of Core Security Technologies, text can be inserted before or after the signed text in an OpenPGP message that looks to the user as if it is covered by the signature.  All versions of GPGME up to and including 1.1.3 are affected. 

Core Security Technologies also reported that several open source email clients are affected, including KDE's KMail, Novell's Evolution, Sylpheed, Mutt, and GnuMail.org (Joris Evers, "Bug may expose encrypted e-mail", C/Net News.com, 8 Mar 2007).

There is a new release of GnuPG, 1.4.7, that fixes this issue.  2.0.3 is also unaffected.  It's important to note that this is not a problem in the encryption method.  Rather it's an issue with the way a mail user agent (MUA) processes attached signatures. 

It is recommended that organizations and developers use detached signatures for messages.  Detached signatures are not affected by this type of vulnerability. 

About Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks

Free Newsletters, In your Inbox