[Announce] pgp4pine-1.75-6 - expired public keys (from: vab@CRYPTNET.NET)

Werner Koch wk@gnupg.org
Wed Feb 21 08:33:03 2001


--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,

Pine user should read the following advisory.  I have not checked it
because I don't use Pine.

  Werner
  
-- 
Omnis enim res, quae dando non deficit, dum habetur
et non datur, nondum habetur, quomodo habenda est.
                                      -- Augustinus

--WIyZ46R2i8wDzkSu
Content-Type: message/rfc822
Content-Disposition: inline

Received: from uucp by alberti.gnupg.de with local-rmail (Exim 3.12 #1 (Debian))
	id 14VNws-0006yO-00; Wed, 21 Feb 2001 02:20:06 +0100
Received: from (porta.gnupg.de) [192.168.123.1] (mail)
	by kasiski.gnupg.de with esmtp (Exim 3.16 #1 (Debian))
	id 14VO6r-0003rO-00; Wed, 21 Feb 2001 02:30:25 +0100
Received: from (lists.securityfocus.com) [66.38.151.7] 
	by porta.gnupg.de with smtp (Exim 3.12 #1 (Debian))
	id 14VO42-0002Xr-00; Wed, 21 Feb 2001 02:27:31 +0100
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7])
	by lists.securityfocus.com (Postfix) with ESMTP
	id 8106D24CEB9; Tue, 20 Feb 2001 17:35:51 -0700 (MST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
          (LISTSERV-TCP/IP release 1.8d) with spool id 26491137 for
          BUGTRAQ@LISTS.SECURITYFOCUS.COM; Tue, 20 Feb 2001 17:35:09 -0700
Approved-By: beng@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by
          lists.securityfocus.com (Postfix) with SMTP id 414BA24D0E9 for
          <bugtraq@lists.securityfocus.com>; Tue, 20 Feb 2001 14:06:03 -0700
          (MST)
Received: (qmail 28537 invoked by alias); 20 Feb 2001 21:06:17 -0000
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Received: (qmail 28527 invoked from network); 20 Feb 2001 21:06:16 -0000
Received: from firewall.cog.ufl.edu (HELO cog.ufl.edu) (128.227.187.3) by
          mail.securityfocus.com with SMTP; 20 Feb 2001 21:06:16 -0000
Received: from igor.intranet (IDENT:vab@igor.intranet [10.10.15.100]) by
          cog.ufl.edu (8.9.3/8.9.3) with ESMTP id QAA11932 for
          <BUGTRAQ@SECURITYFOCUS.COM>; Tue, 20 Feb 2001 16:05:32 -0500
X-Sender: vab@igor.intranet
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="168453135-1374787445-982703757=:21584"
Message-ID:  <Pine.LNX.4.21.0102201556410.21584-200000@igor.intranet>
Date:         Tue, 20 Feb 2001 16:15:57 -0500
Reply-To: "V. Alex Brennen" <vab@CRYPTNET.NET>
From: "V. Alex Brennen" <vab@CRYPTNET.NET>
Subject:      [CryptNET Advisory]  pgp4pine-1.75-6 - expired public keys
To: BUGTRAQ@SECURITYFOCUS.COM

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--168453135-1374787445-982703757=:21584
Content-Type: TEXT/PLAIN; charset=US-ASCII

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------------
                          CryptNET Security Advisory
                           http://www.cryptnet.net/

Advisory Type:          Privacy - Programmatic Error
Synopsis:               pgp4pine may fail to identify expired public keys
Issue Date:             2001.02.20
Program:                pgp4pine-1.75-6 - http://pgp4pine.flatline.de/
Related Programs:       Gnu Privacy Guard (GnuPG) Version 1.0.4
                        Pine Version 4.2.1
Maintainer Response:    Attempts to contact the maintainer of the pgp4pine
                        package where unsuccessful.
- ------------------------------------------------------------------------------

1.  Executive Summary

pgp4pine is a program which is used to interface various PGP implementations
with the popular Pine mail reading package.  Version 1.75-6 of pgp4pine fails
to properly identify expired keys when working with the Gnu Privacy Guard
program (GnuPG).  This failure may result in the transmission of sensitive
information in clear text across the network.


2.  Problem Description

Version 1.75-6 of pgp4pine does not include code to check if public keys
are expired when loading keys from the GnuPG openPGP implementation. If a
user has an expired public key in their keyring and attempts to encrypt a
message to a recipient with that expired public key, pgp4pine will fail to
recognize that the key is expired.  pgp4pine will then issue a command to
GnuPG to encrypt the email message with the expired key. The encryption
will not be successful, GnuPG will return an error message due to the
invalid key.  pgp4pine will not detect the error which occurred when
encrypting the text and will return program flow control to Pine.  Pine
will then transmit the message in the clear.  No notice that an error
occurred will be provided to the user by pgp4pine.

To duplicate the error on the command line:

bash$ pgp4pine -e -i /tmp/in.tmp -o /tmp/out.tmp -r (*R)

* Where R is a recipient with an expired public key in your keyring.


3.  Solution

A patch, written by V. Alex Brennen, has been provided with this advisory.
The patch consists of code modifications which allow pgp4pine to recognize
and ignore expired keys when working with GnuPG.


4.  About This Advisory

This advisory was produced as part of the CryptNET Free Cryptography
Auditing Project.  CryptNET is a group working on the development of
Free Software cryptographic solutions.  As part of its mission,
CryptNET has undertaken The Free Cryptography Auditing Project.  The
project is an effort to audit some of the more popular free software
cryptographic programs licensed under the GNU General Public License.
If you would like to become involved in this project, please see the
CryptNET web site.

John Sheehy, an IBM certified specialist with e-techservices.com
(http://www.e-techservices.com/), assisted with the discovery and
identification of this bug.

- ------------------------------------------------------------------------------
[ENC: Patch]
- ------------------------------------------------------------------------------
diff -urN pgp4pine-1.75/pgp4pine/keyrings.c vab.pgp4pine-1.75/pgp4pine/keyrings.c
- --- pgp4pine-1.75/pgp4pine/keyrings.c   Fri Aug 18 09:24:45 2000
+++ vab.pgp4pine-1.75/pgp4pine/keyrings.c       Mon Feb 12 21:03:09 2001
@@ -449,22 +449,36 @@
                        if (strchr(buf,':') != NULL) {
                                strncpy(keyType,getItem(buf,':',1),3);
                                lineType = 0;
- -                               if (strcmp(keyType,"sec") == 0) lineType = 1; /* secret line... */
- -                               if (strcmp(keyType,"pub") == 0) lineType = 2; /* public key     */
- -                               if (strcmp(keyType,"uid") == 0) lineType = 4; /* user id        */
- -
+                                /*
+                                        The letter e in the second field of the colon delimited GnuPG
+                                        output denotes that gpg asserts that the trust on this item
+                                        has expired (perhaps as the result of an expired openPGP type
+                                        0x13 or 0x18 signature packet).  If this line denotes a public
+                                        key, GnuPG will not function with this key.  So, we should
+                                        return with out adding it to the list.  We shouldn't check
+                                        expiration ourselves because GnuPG is the final authority.
+                                          - V. Alex Brennen, CryptNET FCAP [http://www.cryptnet.net/]
+                                            2001.02.13.01.13.47
+                                */
+                                strncpy(tmpString,getItem(buf,':',2),1);
+                                if (strcmp(tmpString,"e") == 0) lineType = -1; /* Line w/ expired trust */
+                               else if (strcmp(keyType,"sec") == 0) lineType = 1; /* secret line... */
+                               else if (strcmp(keyType,"pub") == 0) lineType = 2; /* public key     */
+                               else if (strcmp(keyType,"uid") == 0) lineType = 4; /* user id        */
+
                                if (lineType == 1) inSec = 1;
- -                               if (lineType == 2) inSec = 0;
+                               else if (lineType == 2) inSec = 0;

                                switch (lineType) {
                                case 1:
                                case 2:
                                        if (lineType == 2 && getSecretOnly) break;
+
                                        myNewKey = (struct pkiKey *) myMalloc(sizeof(pkiKeyStruct));
                                        if (firstKey == NULL) firstKey = myNewKey;
                                        if (oldKey != NULL) oldKey->nextKey = myNewKey;
                                        oldKey = myNewKey;
- -
+
                                        /* next, key size... */
                                        strncpy(tmpString,getItem(buf,':',3),KEY_SIZE_LENGTH);
                                        strncpy(myNewKey->keySize,tmpString,KEY_SIZE_LENGTH);
@@ -523,6 +537,8 @@
                                                strncpy(myNewKey->emailAddress,extractEmailAddress(tmpString),EMAIL_ADDRESS_MAX_LENGTH);
                                        }
                                        break;
+                                default:
+                                        break;
                                }
                        }
                }
- ------------------------------------------------------------------------------
                             End CryptNET Advisory
- ------------------------------------------------------------------------------
- ---
V. Alex Brennen    [vab@cryptnet.net]
  F A R  B E Y O N D  D R I V E N !
    [ http://www.cryptnet.net/ ]

0EC8 B0E3 052D FC4C 208F  76EB FA92 0973 992A 4B3F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Made with pgp4pine 1.75-6

iD8DBQE6kt6h+pIJc5kqSz8RAnKgAJ0T9mpnZgSM3Fh3EszThayvags90ACfQs9G
hgWgYK1IrWbrkFdBYYgpQfg=
=wCgO
-----END PGP SIGNATURE-----


--168453135-1374787445-982703757=:21584
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="vab.pgp4pine.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0102201615570.21584@igor.intranet>
Content-Description: pgp4pine patch as attachment
Content-Disposition: attachment; filename="vab.pgp4pine.patch"

ZGlmZiAtdXJOIHBncDRwaW5lLTEuNzUvcGdwNHBpbmUva2V5cmluZ3MuYyB2
YWIucGdwNHBpbmUtMS43NS9wZ3A0cGluZS9rZXlyaW5ncy5jDQotLS0gcGdw
NHBpbmUtMS43NS9wZ3A0cGluZS9rZXlyaW5ncy5jICAgRnJpIEF1ZyAxOCAw
OToyNDo0NSAyMDAwDQorKysgdmFiLnBncDRwaW5lLTEuNzUvcGdwNHBpbmUv
a2V5cmluZ3MuYyAgICAgICBNb24gRmViIDEyIDIxOjAzOjA5IDIwMDENCkBA
IC00NDksMjIgKzQ0OSwzNiBAQA0KICAgICAgICAgICAgICAgICAgICAgICAg
aWYgKHN0cmNocihidWYsJzonKSAhPSBOVUxMKSB7DQogICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIHN0cm5jcHkoa2V5VHlwZSxnZXRJdGVtKGJ1
ZiwnOicsMSksMyk7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IGxpbmVUeXBlID0gMDsNCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgaWYgKHN0cmNtcChrZXlUeXBlLCJzZWMiKSA9PSAwKSBsaW5lVHlwZSA9
IDE7IC8qIHNlY3JldCBsaW5lLi4uICovDQotICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIGlmIChzdHJjbXAoa2V5VHlwZSwicHViIikgPT0gMCkg
bGluZVR5cGUgPSAyOyAvKiBwdWJsaWMga2V5ICAgICAqLw0KLSAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICBpZiAoc3RyY21wKGtleVR5cGUsInVp
ZCIpID09IDApIGxpbmVUeXBlID0gNDsgLyogdXNlciBpZCAgICAgICAgKi8N
Ci0NCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qDQorICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRoZSBsZXR0
ZXIgZSBpbiB0aGUgc2Vjb25kIGZpZWxkIG9mIHRoZSBjb2xvbiBkZWxpbWl0
ZWQgR251UEcNCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgb3V0cHV0IGRlbm90ZXMgdGhhdCBncGcgYXNzZXJ0cyB0aGF0IHRo
ZSB0cnVzdCBvbiB0aGlzIGl0ZW0NCisgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgaGFzIGV4cGlyZWQgKHBlcmhhcHMgYXMgdGhl
IHJlc3VsdCBvZiBhbiBleHBpcmVkIG9wZW5QR1AgdHlwZQ0KKyAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAweDEzIG9yIDB4MTgg
c2lnbmF0dXJlIHBhY2tldCkuICBJZiB0aGlzIGxpbmUgZGVub3RlcyBhIHB1
YmxpYw0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICBrZXksIEdudVBHIHdpbGwgbm90IGZ1bmN0aW9uIHdpdGggdGhpcyBrZXku
ICBTbywgd2Ugc2hvdWxkDQorICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIHJldHVybiB3aXRoIG91dCBhZGRpbmcgaXQgdG8gdGhl
IGxpc3QuICBXZSBzaG91bGRuJ3QgY2hlY2sNCisgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgZXhwaXJhdGlvbiBvdXJzZWx2ZXMg
YmVjYXVzZSBHbnVQRyBpcyB0aGUgZmluYWwgYXV0aG9yaXR5Lg0KKyAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0gVi4gQWxl
eCBCcmVubmVuLCBDcnlwdE5FVCBGQ0FQIFtodHRwOi8vd3d3LmNyeXB0bmV0
Lm5ldC9dDQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAyMDAxLjAyLjEzLjAxLjEzLjQ3DQorICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAqLw0KKyAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgc3RybmNweSh0bXBTdHJpbmcsZ2V0SXRlbShidWYsJzonLDIp
LDEpOw0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKHN0
cmNtcCh0bXBTdHJpbmcsImUiKSA9PSAwKSBsaW5lVHlwZSA9IC0xOyAvKiBM
aW5lIHcvIGV4cGlyZWQgdHJ1c3QgKi8NCisgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgZWxzZSBpZiAoc3RyY21wKGtleVR5cGUsInNlYyIpID09
IDApIGxpbmVUeXBlID0gMTsgLyogc2VjcmV0IGxpbmUuLi4gKi8NCisgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgZWxzZSBpZiAoc3RyY21wKGtl
eVR5cGUsInB1YiIpID09IDApIGxpbmVUeXBlID0gMjsgLyogcHVibGljIGtl
eSAgICAgKi8NCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWxz
ZSBpZiAoc3RyY21wKGtleVR5cGUsInVpZCIpID09IDApIGxpbmVUeXBlID0g
NDsgLyogdXNlciBpZCAgICAgICAgKi8NCisNCiAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgaWYgKGxpbmVUeXBlID09IDEpIGluU2VjID0gMTsN
Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGxpbmVUeXBl
ID09IDIpIGluU2VjID0gMDsNCisgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgZWxzZSBpZiAobGluZVR5cGUgPT0gMikgaW5TZWMgPSAwOw0KDQog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN3aXRjaCAobGluZVR5
cGUpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY2FzZSAx
Og0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjYXNlIDI6DQog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGxp
bmVUeXBlID09IDIgJiYgZ2V0U2VjcmV0T25seSkgYnJlYWs7DQorDQogICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbXlOZXdLZXkg
PSAoc3RydWN0IHBraUtleSAqKSBteU1hbGxvYyhzaXplb2YocGtpS2V5U3Ry
dWN0KSk7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgaWYgKGZpcnN0S2V5ID09IE5VTEwpIGZpcnN0S2V5ID0gbXlOZXdLZXk7
DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYg
KG9sZEtleSAhPSBOVUxMKSBvbGRLZXktPm5leHRLZXkgPSBteU5ld0tleTsN
CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvbGRL
ZXkgPSBteU5ld0tleTsNCi0NCisNCiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAvKiBuZXh0LCBrZXkgc2l6ZS4uLiAqLw0KICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0cm5jcHko
dG1wU3RyaW5nLGdldEl0ZW0oYnVmLCc6JywzKSxLRVlfU0laRV9MRU5HVEgp
Ow0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0
cm5jcHkobXlOZXdLZXktPmtleVNpemUsdG1wU3RyaW5nLEtFWV9TSVpFX0xF
TkdUSCk7DQpAQCAtNTIzLDYgKzUzNyw4IEBADQogICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHJuY3B5KG15TmV3
S2V5LT5lbWFpbEFkZHJlc3MsZXh0cmFjdEVtYWlsQWRkcmVzcyh0bXBTdHJp
bmcpLEVNQUlMX0FERFJFU1NfTUFYX0xFTkdUSCk7DQogICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOw0KKyAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgZGVmYXVsdDoNCisgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7DQogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAg
ICAgIH0NCiAgICAgICAgICAgICAgICB9DQo=
--168453135-1374787445-982703757=:21584--



--WIyZ46R2i8wDzkSu--

_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce