Gentoo Logo

GnuPG: OpenPGP protocol attack

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200503-29 / GnuPG
Release Date March 24, 2005
Latest Revision March 24, 2005: 01
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-crypt/gnupg < 1.4.1 >= 1.4.1 All supported architectures

Related bugreports: #85547

Synopsis

Automated systems using GnuPG may leak plaintext portions of an encrypted message.

2.  Impact Information

Background

GnuPG is complete and free replacement for PGP, a tool for secure communication and data storage.

Description

A flaw has been identified in an integrity checking mechanism of the OpenPGP protocol.

Impact

An automated system using GnuPG that allows an attacker to repeatedly discover the outcome of an integrity check (perhaps by observing the time required to return a response, or via overly verbose error messages) could theoretically reveal a small portion of plaintext.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All GnuPG users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.1"

4.  References

Print

Page updated March 24, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.