CVE-2003-0255
CVSS10.0
发布时间 :2003-05-27 00:00:00
修订时间 :2016-10-17 22:31:19
NMCOS    

[原文]The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.


[CNNVD]GNU Privacy Guard不安全可信路径用户ID漏洞(CNNVD-200305-056)

        
        GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
        GPG没有正确判断多用户ID密钥的合法性,可能会导致发往一个可信用户的信息泄露。
        对密钥只对应一用户ID不受此漏洞影响。简单举例,如果一个密钥有两个用户ID:
        Alice 和Alice's other address
        如果加密用户针对ID alice@example.com有一可信路径,那么这个ID是完全合法的,当加密alice@example.com时不会出现警告信息。
        如果加密用户针对ID "alice@corp.example.net"路径不充分或路径不可信,那么这个ID不完全合法,或者说不是所有方面全合法。本来当加密其他用户ID时会出现警告信息("it is not certain this key belongs to the user named in the user ID / do you
        want to encrypt to it anyway?"),但是由于这个漏洞,非法用户ID将被合法的接收并没有任何警告信息。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:135GnuPG Invalid User ID Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0255
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0255
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-056
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000694
(UNKNOWN)  CONECTIVA  CLA-2003:694
http://marc.info/?l=bugtraq&m=105215110111174&w=2
(UNKNOWN)  BUGTRAQ  20030504 Key validity bug in GnuPG 1.2.1 and earlier
http://marc.info/?l=bugtraq&m=105301357425157&w=2
(UNKNOWN)  ENGARDE  ESA-20030515-016
http://marc.info/?l=bugtraq&m=105311804129104&w=2
(UNKNOWN)  BUGTRAQ  20030516 [OpenPKG-SA-2003.029] OpenPKG Security Advisory (gnupg)
http://marc.info/?l=bugtraq&m=105362224514081&w=2
(UNKNOWN)  BUGTRAQ  20030522 [slackware-security] GnuPG key validation fix (SSA:2003-141-04)
http://www.kb.cert.org/vuls/id/397604
(UNKNOWN)  CERT-VN  VU#397604
http://www.linuxsecurity.com/advisories/engarde_advisory-3258.html
(UNKNOWN)  ENGARDE  20030515-016
http://www.linuxsecurity.com/advisories/gentoo_advisory-3266.html
(UNKNOWN)  MISC  http://www.linuxsecurity.com/advisories/gentoo_advisory-3266.html
http://www.mandriva.com/security/advisories?name=MDKSA-2003:061
(UNKNOWN)  MANDRAKE  MDKSA-2003:061
http://www.redhat.com/support/errata/RHSA-2003-175.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:175
http://www.redhat.com/support/errata/RHSA-2003-176.html
(UNKNOWN)  REDHAT  RHSA-2003:176
http://www.securityfocus.com/bid/7497
(UNKNOWN)  BID  7497
http://www.turbolinux.com/security/TLSA-2003-34.txt
(UNKNOWN)  TURBO  TLSA200334
http://xforce.iss.net/xforce/xfdb/11930
(UNKNOWN)  XF  gnupg-invalid-key-acceptance(11930)

- 漏洞信息

GNU Privacy Guard不安全可信路径用户ID漏洞
危急 其他
2003-05-27 00:00:00 2005-10-20 00:00:00
本地  
        
        GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
        GPG没有正确判断多用户ID密钥的合法性,可能会导致发往一个可信用户的信息泄露。
        对密钥只对应一用户ID不受此漏洞影响。简单举例,如果一个密钥有两个用户ID:
        Alice 和Alice's other address
        如果加密用户针对ID alice@example.com有一可信路径,那么这个ID是完全合法的,当加密alice@example.com时不会出现警告信息。
        如果加密用户针对ID "alice@corp.example.net"路径不充分或路径不可信,那么这个ID不完全合法,或者说不是所有方面全合法。本来当加密其他用户ID时会出现警告信息("it is not certain this key belongs to the user named in the user ID / do you
        want to encrypt to it anyway?"),但是由于这个漏洞,非法用户ID将被合法的接收并没有任何警告信息。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * GnuPG Team提供的补丁方案:
        Index: g10/trustdb.c
        ===================================================================
        RCS file: /cvs/gnupg/gnupg/g10/trustdb.c,v
        retrieving revision 1.89.2.1
        diff -u -r1.89.2.1 trustdb.c
        --- g10/trustdb.c 2 Oct 2002 21:56:03 -0000 1.89.2.1
        +++ g10/trustdb.c 4 May 2003 01:12:38 -0000
        @@ -808,16 +808,27 @@
         while (recno)
         {
         read_record (recno, &vrec, RECTYPE_VALID);
        - if ( validity < (vrec.r.valid.validity & TRUST_MASK) )
        - validity = (vrec.r.valid.validity & TRUST_MASK);
        - if ( namehash && !memcmp (vrec.r.valid.namehash, namehash, 20) )
        - break;
        + if(namehash)
        + {
        + /* If namehash is given we return the trust for that user ID
        + ONLY. If the namehash is not found, then there is no
        + validity at all (i.e. the user ID wasn't signed). */
        + if(memcmp(vrec.r.valid.namehash,namehash,20)==0)
        + {
        + validity=(vrec.r.valid.validity & TRUST_MASK);
        + break;
        + }
        + }
        + else
        + {
        + /* If no namehash is given, we take the maximum validity
        + over all user IDs */
        + if ( validity < (vrec.r.valid.validity & TRUST_MASK) )
        + validity = (vrec.r.valid.validity & TRUST_MASK);
        + }
         recno = vrec.r.valid.next;
         }
        
        - if (recno) /* okay, use the user ID associated one */
        - validity = (vrec.r.valid.validity & TRUST_MASK);
        -
         if ( (trec.r.trust.ownertrust & TRUST_FLAG_DISABLED) )
         validity |= TRUST_FLAG_DISABLED;
        
        Index: g10/pkclist.c
        ===================================================================
        RCS file: /cvs/gnupg/gnupg/g10/pkclist.c,v
        retrieving revision 1.73.2.1
        diff -u -r1.73.2.1 pkclist.c
        --- g10/pkclist.c 17 Oct 2002 13:49:30 -0000 1.73.2.1
        +++ g10/pkclist.c 4 May 2003 01:12:39 -0000
        @@ -524,17 +524,23 @@
         return 0;
        
         if( !opt.batch && !rc ) {
        - char *p;
         u32 keyid[2];
        - size_t n;
        
         keyid_from_pk( pk, keyid);
         tty_printf( "%4u%c/%08lX \"",
         nbits_from_pk( pk ), pubkey_letter( pk->pubkey_algo ),
         (ulong)keyid[1], datestr_from_pk( pk ) );
        - p = get_user_id( keyid, &n );
        - tty_print_utf8_string( p, n ),
        - m_free(p);
        + /* If the pk was chosen by a particular user ID, this is the
        + one to ask about. */
        + if(pk->user_id)
        + tty_print_utf8_string(pk->user_id->name,pk->user_id->len);
        + else
        + {
        + size_t n;
        + char *p = get_user_id( keyid, &n );
        + tty_print_utf8_string( p, n );
        + m_free(p);
        + }
         tty_printf("\"\n");
         print_fingerprint (pk, NULL, 2);
         tty_printf("\n");
        @@ -887,8 +893,27 @@
         }
         else {
         int trustlevel;
        +
        + /* Fill in the namehash so we can get the validity
        + for this particular UID. If we start using it
        + in more places than here, it might be good to
        + fill this in for all PKs. */
        +
        + if(pk->user_id)
        + {
        + pk->namehash=m_alloc(20);
        +
        + if( pk->user_id->attrib_data )
        + rmd160_hash_buffer (pk->namehash,
        + pk->user_id->attrib_data,
        + pk->user_id->attrib_len);
        + else
        + rmd160_hash_buffer (pk->namehash,
        + pk->user_id->name,
        + pk->user_id->len );
        + }
        
        - trustlevel = get_validity (pk, NULL);
        + trustlevel = get_validity (pk, pk->namehash);
         if( (trustlevel & TRUST_FLAG_DISABLED) ) {
         tty_printf(_("Public key is disabled.\n") );
         }
        @@ -901,8 +926,6 @@
         }
         else {
         PK_LIST r;
        - char *p;
        - size_t n;
         u32 keyi

- 漏洞信息

4947
GnuPG Multiple Userid Key Validity
Local Access Required, Remote / Network Access Authentication Management, Cryptographic
Loss of Integrity
Exploit Public

- 漏洞描述

GnuPG versions prior to 1.2.2 handle trust relationships of multiple userids bound to a single key incorrectly. If a key has more than one userid, all userids assume the validity of the most valid userid, rather than applying the relevant trust path to each userid individually.

- 时间线

2003-05-03 Unknow
2003-05-03 Unknow

- 解决方案

Upgrade to version 1.2.2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the patch provided by the vendor for versions 1.2.1, 1.2.0, and 1.0.7. Versions 1.0.6 and older must upgrade.

- 相关参考

- 漏洞作者

- 漏洞信息

GNU Privacy Guard Insecure Trust Path To User ID Weakness
Origin Validation Error 7497
No Yes
2003-05-05 12:00:00 2009-07-11 09:07:00
This weakness was disclosed by the vendor.

- 受影响的程序版本

Sun Cobalt RaQ XTR
SCO OpenLinux Workstation 3.1.1
SCO OpenLinux Server 3.1.1
GNU PG 1.2.1
GNU PG 1.2
GNU PG 1.0.7
GNU PG 1.0.6
GNU GNU Privacy Guard 1.2.1
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG 1.2
+ RedHat Linux 9.0 i386
+ Terra Soft Solutions Yellow Dog Linux 3.0
GNU GNU Privacy Guard 1.2
GNU GNU Privacy Guard 1.0.7
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ MandrakeSoft apcupsd 2006.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ OpenPKG OpenPKG 1.1
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux Advanced Work Station 2.1
+ Sun Linux 5.0.5
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.0
GNU GNU Privacy Guard 1.0.6
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
GNU GNU Privacy Guard 1.0.5
- Caldera OpenLinux 2.4
- Caldera OpenLinux 2.3
- Caldera OpenLinux eBuilder 3.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Conectiva Linux graficas
- Conectiva Linux ecommerce
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
- Immunix Immunix OS 7.0 beta
- Immunix Immunix OS 7.0
- Immunix Immunix OS 6.2
- MandrakeSoft Corporate Server 1.0.1
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Red Hat Linux 6.2
- RedHat Linux 7.1 i386
- RedHat Linux 7.1
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- Trustix Secure Linux 1.2
- Trustix Secure Linux 1.1
GNU GNU Privacy Guard 1.0.4
- Turbolinux Turbolinux 6.0.5
- Turbolinux Turbolinux Server 6.5
- Turbolinux Turbolinux Workstation 6.1
GNU GNU Privacy Guard 1.0.3 b
GNU GNU Privacy Guard 1.0.3
GNU GNU Privacy Guard 1.0.2
GNU GNU Privacy Guard 1.0.1
GNU GNU Privacy Guard 1.0 .6
- MandrakeSoft Corporate Server 1.0.1
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
GNU GNU Privacy Guard 1.0
GNU finger 1.0.7
EnGarde Secure Professional 1.5
EnGarde Secure Professional 1.2
EnGarde Secure Professional 1.1
EnGarde Secure Community 2.0
EnGarde Secure Community 1.0.1
GNU PG 1.2.2
GNU GNU Privacy Guard 1.2.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1

- 不受影响的程序版本

GNU PG 1.2.2
GNU GNU Privacy Guard 1.2.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1

- 漏洞讨论

GNU Privacy Guard has been reported prone to weakness involving the validity of multiple user IDs. It has been reported that GNUPG does not sufficiently differentiate between the validity given to individual IDs on a public key that has multiple user IDs linked to it. This may result in the leakage of data presumed to be destined to a trusted user; other attacks may also be possible.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Sun have released a security update to address this issue in the RAQ XTR. Please see references section for further details. A fix is linked below.

Sun has released updates for Sun Linux 5.0.5.

Yellow Dog Linux has released an advisory (YDU-20030602-5) and fixes to address this issue. Users are recommended to run the 'apt-get' utility by issuing the following commands. Manual retrieval and installation of the fixes is described in the referenced advisory.

apt-get update
apt-get install gnupg

EnGarde Secure Linux has released an advisory (ESA-20030515-016), which contains details on how to obtain and apply fixes to address this issue. EnGarde recommends that all affected users apply fixes as soon as possible.

Red Hat has released advisory RHSA-2003:175-01 with fixes to address this issue. See referenced advisory for additional details.

Red Hat has also released a security advisory (RHSA-2003-176) to address this issue for Red Hat Enterprise Linux and Advanced Workstation. The appropriate fixes have also been made available and can be obtained through the Red Hat Network:

http://rhn.redhat.com/

SCO has released an advisory (CSSA-2003-034.0) that includes updates for this issue.

The vendor has released an upgrade to address this issue, users are advised to upgrade as soon as possible:


Sun Cobalt RaQ XTR

GNU GNU Privacy Guard 1.0

GNU GNU Privacy Guard 1.0 .6

GNU GNU Privacy Guard 1.0.1

GNU GNU Privacy Guard 1.0.2

GNU GNU Privacy Guard 1.0.3 b

GNU GNU Privacy Guard 1.0.3

GNU GNU Privacy Guard 1.0.4

GNU GNU Privacy Guard 1.0.5

GNU GNU Privacy Guard 1.0.6

GNU finger 1.0.7

GNU GNU Privacy Guard 1.0.7

GNU GNU Privacy Guard 1.2

GNU GNU Privacy Guard 1.2.1

SCO OpenLinux Server 3.1.1

SCO OpenLinux Workstation 3.1.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站