security patches
Florian Weimer
fw@deneb.enyo.de
Fri Oct 5 23:00:02 2001
Johan Wevers <johanw@vulcan.xs4all.nl> writes:
>> -Klima-Rosa
>
> Solved.
Even for DSA keys?
>> (that's all?)
No, I don't think so. Here's my current summary. (I'm sorry about
the long lines.) Anyone care to fill the gaps?
Defect Matrix
*************
(x = defective, - = not defective, ? = unknown, VERSION = fixed in VERSION
<VERSION> = workaround since VERSION, < > = workaround from beginning,
(VERSION) = fix expected for VERSION)
GnuPG PGP 2.6.3 PGP 2.6.3in PGP 5.x PGP 6.x PGP 7.x
V4 key expiration x n/a n/a ? x x
Multiple signatures 1.0.4 - - ? ? ?
Detached signature 1.0.5 - - ? ? ?
Trust import 1.0.5 - - - - -
Klima/Rosa DSA x n/a n/a x x x
Klima/Rosa RSA <1.0.6> x <2001-03-22> ? ? < >
Bit errors 1.0.6 x 2001-03-22 ? ? ?
DLL loading - - - x ? -
ADK implementation n/a n/a n/a ? ? ?
Entropy gathering - n/a n/a x - -
V3 secret key import x - - ? ? ?
File name format string 1.0.6 - - - - -
Exportable local signatures (1.0.7) n/a n/a ? ? ?
Primary User ID <0.9.3> x x x x hotfix
Primary User ID SDK 1.0.5 n/a n/a ? ? hotfix
Implementations
***************
GnuPG
-----
Vendor: Free Software Foundation
URL: http://www.gnupg.org/
GNU Privacy Guard (GnuPG) is the OpenPGP implementation
maintained by the Free Software Foundation. It is free software,
released under the GPL.
PGP 2.6.3
---------
Vendor: Phil's Pretty Good Software
PGP 2.6.3 is the last of the old PGP 2 versions released
by Phil Zimmerman in cooperation with MIT.
It is mostly incompatible with OpenPGP.
PGP 2.6.3in
-----------
Vendor: Phil's Pretty Good Software, Schumacher, Donnerhacke et al.
This version is derived from PGP 2.6.3. It was modified by
Staale Schumacher to create the international version (hence the "i"),
and further modifications were made by Lutz Donnerhacke.
This version is mostly incompatible with OpenPGP.
PGP 5.x
-------
Vendor: Network Associates, Inc.
The first PGP version released by Network Associates, Inc.,
includes beginning support for the OpenPGP format.
PGP 6.x
-------
Vendor: Network Associates, Inc.
Includes more comprehensive support for the OpenPGP format.
This is the last version of NAI PGP for which source code is available.
PGP 7.x
-------
Vendor: Network Associates, Inc.
Comprehensive support for the OpenPGP standard. NAI no longer
releases the source code of the complete PGP application, only
the implementation of the algorithms related to cryptography
is revealed.
Vulnerabilities
***************
V4 key expiration
-----------------
Someone who has access to the corresponding secret key can increase
the life time of a V4 public key without invalidating certificates.
This is a weakness in the OpenPGP protocol.
Multiple signatures
-------------------
Multiple signatures on the same document are not correctly verified
and can lead to false positives.
Detached signature
------------------
When requested to verify a detached signature against a document, even
a non-detached signature with an embedded document can give a positive
result.
Trust import
------------
Ordinary key import might introduce trusted keys without user
intervention.
Klima/Rosa DSA
--------------
Klima and Rosa describe an attack on the storage format
for secret DSA keys. This attack is dangerous only if the
secret key is stored on a medium which is not trustworthy.
Klima/Rosa RSA
--------------
Klima and Rosa describe an attack on the storage format
for secret RSA keys. This attack is dangerous only if the
secret key is stored on a medium which is not trustworthy.
Bit errors
----------
Bit errors during assymetric cryptographic operations
can reveal the private key component.
DLL loading
-----------
On Windows, DLLs are sometimes loaded from the current directory.
If the OpenPGP implementation loads special DLLs, this might result
in the execution of untrusted code.
ADK implementation
------------------
The Additional Decryption Key (which is used for corporate or governmental
message recovery) attribute of a public key is recognized even if it is not
covered by a self signature.
Entropy gathering
-----------------
Because of misuse of a system-level programming interface, non-random
bytes are returned by the routine which should retrieve random bytes
from the entropy pool of the system.
V3 secret key import
--------------------
The MPI syntax specification in OpenPGP excludes leading zero octets,
but these can occur nevertheless in V3 secret keys. Some implementations
cannot import such keys. (This is not a security problem, but a
reliability problem.)
File name format string
-----------------------
A format string bug exists in the user interface code dealing with
file names.
Exportable local signatures
---------------------------
Signatures on V3 keys marked non-exportable are not properly
generated so that they are exportable nevertheless.
Primary User ID
---------------
The OpenPGP implementation displays a primary user ID which is not
certified as a certified one if there is at least one certified user
ID attached to the key.
Primary User ID SDK
-------------------
This is the same defect as above, but wrong user ID is transmitted
over a channel intended for automatic processing by other programs.