[原文]PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Business Server before 7.1 does not properly display when invalid userID's are used to sign a message, which could allow an attacker to make the user believe that the document has been signed by a trusted third party by adding a second, invalid user ID to a key which has already been signed by the third party, aka the "PGPsdk Key Validity Vulnerability."
PGPsdk based products contain a flaw related to the authentication of PGP key user IDs. The issue is due to the software not properly authenticating and warning a user when a trusted third party key is used to forge signatures with an invalid key. The attacker could then add an unsigned second user ID to this key, which could be switched to primary.
Upgrade to version 7.0.4/7.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.