CoreLabs Detects Flaw In GnuPG - any comments ?

Eric Robinson ewrobinson at
Fri Aug 10 17:42:07 CEST 2007

CoreLabs Detects Flaw In GnuPG 
By CXOtoday Staff 
Mumbai, Mar 9, 2007 

Core Security Technologies has issued an advisory disclosing a flaw in
the GNU Privacy Guard (GnuPG or GPG). It is an OpenPGP- compliant
cryptographic software system and is a part of the Free Software
Foundation's (FSF) GNU software project, and third-party email
applications that rely on it for encrypted and signed email

CoreLabs, the research arm of Core Security, discovered this by
exploiting the vulnerability. According to the press release, issued by
Core Security, an attacker can add arbitrary content to encrypted and/or
signed emails in order to mislead recipients about the trustworthiness
of a message. In addition, attackers can use this flaw to bypass
content-filtering defenses, which makes it particularly inconvenient to
detect phishing attacks. 

The company discovered that the scripts and applications using GnuPG are
prone to a vulnerability involving incorrect verification of signatures.
Unsuspecting users reading a GPG encrypted and/or signed email, using a
mail client or encryption extension, are led to believe that the entire
message was signed by the sender when, in fact, an arbitrary portion of
the content may have been inserted by an attacker. 

In some cases, the attacker may completely hide the signed portion of a
message and present the user with only the forged portion. It should be
noted that this is not a cryptographic problem. It affects how
information is presented to the user and how third-party applications
interact with GnuPG. 

This attack method infects systems using: 

*GnuPG 1.4.6 and previous versions 
*Enigmail 0.94.2 and previous versions 
*KMail 1.9.5 and previous versions 
*Evolution 2.8.1 and previous versions 
*Sylpheed 2.2.7 and previous versions 
*Mutt 1.5.13 and previous versions 
*GNUMail 1.1.2 and previous versions 
*Other scripts and applications using GnuPG may be vulnerable 

To address this vulnerability, users of scripts and applications using
GnuPG should immediately upgrade to the latest versions of GnuPG and

Additionally, Core Security recommends that, if a signed message looks
suspicious, the validity of the signature can be verified by manually
invoking GnuPG from the command line and adding the special option
"--status-fd" to gain extra information. 

"This vulnerability is a good e.g. of how very subtle implementation
decisions on how to interface data communications between two
applications, in this case email front-end extensions and GnuPG, can end
up exposing end users to unexpected security weaknesses," said Iv n
Arce, CTO, Core Security Technologies. "We continue to encourage and
support the use of GnuPG as a convenient way to improve the security and
privacy of communications. To that effect and to prevent traffic
analysis attacks, we also recommend that encryption should be turned on
by default on every email."  


Eric Robinson
Business Application Advisor
FedEx Corporate Services
Internet Engineering & EC Integration

More information about the Gnupg-users mailing list