GNU Privacy Guard不安全可信路径用户ID漏洞

漏洞信息详情

GNU Privacy Guard不安全可信路径用户ID漏洞

• CNNVD编号：CNNVD-200305-056
• 危害等级： 超危
  
  
• CVE编号：
  CVE-2003-0255
  
• 漏洞类型：
  
  
  其他
  
• 发布时间：
  
  2003-05-27
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  gnu
• 漏洞来源：
  David Shaw※ dshaw@…

GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
GPG没有正确判断多用户ID密钥的合法性，可能会导致发往一个可信用户的信息泄露。
对密钥只对应一用户ID不受此漏洞影响。简单举例，如果一个密钥有两个用户ID：
Alice 和Alice\’\’s other address
如果加密用户针对ID alice@example.com有一可信路径，那么这个ID是完全合法的，当加密alice@example.com时不会出现警告信息。
如果加密用户针对ID \”alice@corp.example.net\”路径不充分或路径不可信，那么这个ID不完全合法，或者说不是所有方面全合法。本来当加密其他用户ID时会出现警告信息(\”it is not certain this key belongs to the user named in the user ID / do you
want to encrypt to it anyway?\”)，但是由于这个漏洞，非法用户ID将被合法的接收并没有任何警告信息。

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* GnuPG Team提供的补丁方案：

Index: g10/trustdb.c

===================================================================

RCS file: /cvs/gnupg/gnupg/g10/trustdb.c,v

retrieving revision 1.89.2.1

diff -u -r1.89.2.1 trustdb.c

— g10/trustdb.c 2 Oct 2002 21:56:03 -0000 1.89.2.1

+++ g10/trustdb.c 4 May 2003 01:12:38 -0000

@@ -808,16 +808,27 @@

while (recno)

{

read_record (recno, &vrec, RECTYPE_VALID);

– if ( validity < (vrec.r.valid.validity & TRUST_MASK) )

– validity = (vrec.r.valid.validity & TRUST_MASK);

– if ( namehash && !memcmp (vrec.r.valid.namehash, namehash, 20) )

– break;

+ if(namehash)

+ {

+ /* If namehash is given we return the trust for that user ID

+ ONLY. If the namehash is not found, then there is no

+ validity at all (i.e. the user ID wasn’t signed). */

+ if(memcmp(vrec.r.valid.namehash,namehash,20)==0)

+ {

+ validity=(vrec.r.valid.validity & TRUST_MASK);

+ break;

+ }

+ }

+ else

+ {

+ /* If no namehash is given, we take the maximum validity

+ over all user IDs */

+ if ( validity < (vrec.r.valid.validity & TRUST_MASK) )

+ validity = (vrec.r.valid.validity & TRUST_MASK);

+ }

recno = vrec.r.valid.next;

}

– if (recno) /* okay, use the user ID associated one */

– validity = (vrec.r.valid.validity & TRUST_MASK);

–

if ( (trec.r.trust.ownertrust & TRUST_FLAG_DISABLED) )

validity |= TRUST_FLAG_DISABLED;

Index: g10/pkclist.c

===================================================================

RCS file: /cvs/gnupg/gnupg/g10/pkclist.c,v

retrieving revision 1.73.2.1

diff -u -r1.73.2.1 pkclist.c

— g10/pkclist.c 17 Oct 2002 13:49:30 -0000 1.73.2.1

+++ g10/pkclist.c 4 May 2003 01:12:39 -0000

@@ -524,17 +524,23 @@

return 0;

if( !opt.batch && !rc ) {

– char *p;

u32 keyid[2];

– size_t n;

keyid_from_pk( pk, keyid);

tty_printf( “%4u%c/%08lX %s \””,

nbits_from_pk( pk ), pubkey_letter( pk->pubkey_algo ),

(ulong)keyid[1], datestr_from_pk( pk ) );

– p = get_user_id( keyid, &n );

– tty_print_utf8_string( p, n ),

– m_free(p);

+ /* If the pk was chosen by a particular user ID, this is the

+ one to ask about. */

+ if(pk->user_id)

+ tty_print_utf8_string(pk->user_id->name,pk->user_id->len);

+ else

+ {

+ size_t n;

+ char *p = get_user_id( keyid, &n );

+ tty_print_utf8_string( p, n );

+ m_free(p);

+ }

tty_printf(“\”\n”);

print_fingerprint (pk, NULL, 2);

tty_printf(“\n”);

@@ -887,8 +893,27 @@

}

else {

int trustlevel;

+

+ /* Fill in the namehash so we can get the validity

+ for this particular UID. If we start using it

+ in more places than here, it might be good to

+ fill this in for all PKs. */

+

+ if(pk->user_id)

+ {

+ pk->namehash=m_alloc(20);

+

+ if( pk->user_id->attrib_data )

+ rmd160_hash_buffer (pk->namehash,

+ pk->user_id->attrib_data,

+ pk->user_id->attrib_len);

+ else

+ rmd160_hash_buffer (pk->namehash,

+ pk->user_id->name,

+ pk->user_id->len );

+ }

– trustlevel = get_validity (pk, NULL);

+ trustlevel = get_validity (pk, pk->namehash);

if( (trustlevel & TRUST_FLAG_DISABLED) ) {

tty_printf(_(“Public key is disabled.\n”) );

}

@@ -901,8 +926,6 @@

}

else {

PK_LIST r;

– char *p;

– size_t n;

u32 keyi

来源:US-CERT Vulnerability Note: VU#397604
名称: VU#397604
链接:http://www.kb.cert.org/vuls/id/397604

来源: REDHAT
名称: RHSA-2003:175
链接:http://www.redhat.com/support/errata/RHSA-2003-175.html

来源: BUGTRAQ
名称: 20030504 Key validity bug in GnuPG 1.2.1 and earlier
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105215110111174&w=2

来源: XF
名称: gnupg-invalid-key-acceptance(11930)
链接:http://xforce.iss.net/xforce/xfdb/11930

来源: BID
名称: 7497
链接:http://www.securityfocus.com/bid/7497

来源: REDHAT
名称: RHSA-2003:176
链接:http://www.redhat.com/support/errata/RHSA-2003-176.html

来源: OSVDB
名称: 4947
链接:http://www.osvdb.org/4947

来源: TURBO
名称: TLSA200334
链接:http://www.turbolinux.com/security/TLSA-2003-34.txt

来源: MANDRAKE
名称: MDKSA-2003:061
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2003:061

来源: www.linuxsecurity.com
链接:http://www.linuxsecurity.com/advisories/gentoo_advisory-3266.html

来源: ENGARDE
名称: 20030515-016
链接:http://www.linuxsecurity.com/advisories/engarde_advisory-3258.html

来源: BUGTRAQ
名称: 20030522 [slackware-security] GnuPG key validation fix (SSA:2003-141-04)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105362224514081&w=2

来源: BUGTRAQ
名称: 20030516 [OpenPKG-SA-2003.029] OpenPKG Security Advisory (gnupg)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105311804129104&w=2

来源: ENGARDE
名称: ESA-20030515-016
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105301357425157&w=2

来源: CONECTIVA
名称: CLA-2003:694
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000694

来源: US Government Resource: oval:org.mitre.oval:def:135
名称: oval:org.mitre.oval:def:135
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:135