多个供应商PGP5自动密钥生成程序漏洞

漏洞信息详情

多个供应商PGP5自动密钥生成程序漏洞

• CNNVD编号：CNNVD-200005-090
• 危害等级： 低危
  
  
• CVE编号：
  CVE-2000-0445
  
• 漏洞类型：
  
  
  设计错误
  
• 发布时间：
  
  2000-05-24
  
• 威胁类型：
  
  
  本地
  
• 更新时间：
  
  2006-09-22
  
• 厂        商：
  
  pgp
• 漏洞来源：
  This vulnerability…

Unix系统中PGP 5.x 的pgpk命令使用不充分的非交互式密钥随机数据源。此漏洞可能产生可预测密钥。

Patching line 1324 of src/lib/ttyui/pgpUserIO.c to look like:
read(fd, &RandBuf, count);
will fix this vulnerability. As there is no error checking in place in that function, it will have no negative impact; ideally, this read should be checked to ensure a byte was actually returned, or the potential for another vulnerability exists.
From NAI Security Advisory:
Users who generated keys in the manner described above are strongly
urged to do the following:
– Revoke and no longer use keys suspected to have this problem
– Generate new public/private keypairs with entropy collected
from users’ typing and/or mouse movements
– Re-encrypt any data with the newly generated keypairs that is
currently encrypted with keys suspected to have this problem
– Re-sign any data with the newly generated keypairs, if required
Users are also urged to upgrade to the latest releases of PGP,
as PGP 5.0 products have not been officially supported by Network
Associates since early 1999, or distributed by Network Associates
since June 1998.
PGPi PGPi 5.0 i

• PGPi pgpi 6.5
  ftp://ftp.pgpi.com/pub/pgp/6.5/

来源:CERT/CC Advisory: CA-2000-09
名称: CA-2000-09
链接:http://www.cert.org/advisories/CA-2000-09.html

来源: BID
名称: 1251
链接:http://www.securityfocus.com/bid/1251

来源: OSVDB
名称: 1355
链接:http://www.osvdb.org/1355

来源: BUGTRAQ
名称: 20000523 Key Generation Security Flaw in PGP 5.0
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0273.html