RE: PGP spoof decrypted output?

[Lincoln Yeoh <lyeoh () pop jaring my>]

I think it is a genuine problem - a nasty one too.

You could try contacting NAI, but they seemed to have semi-imploded 
recently so may not be as helpful. See http://www.pgp.com/

Try contacting the sales and ask for a tech - that works sometimes :).

The 6.5.8 source seems to be still around - 
http://www.pgpi.org/cgi/download.cgi?filename=pgpsrc658win32.zip

Any idea where to start the fix?

BTW: Isn't GPG compatible with the commercial PGPs used by your 
corresponding commercial entities?

Cheerio,
Link.

At 03:53 PM 6/7/02 -0500, McAllister, Andrew wrote:
> Yes, the behavior you are seeing with gpg is exactly the behavior I would 
> expect with PGP. In my opinion, PGP should warn and error out when 
> decrypting an encrypted and signed file that has data appended to it. It 
> should not simply take the appended data and overwrite the output of the 
> encrypted/signed message when in batch mode.
>
> Does anyone think I should raise this a level and contact NAI/McAfee? 
> Anyone know of a contact point? Problems I see trying to get a fix are: 
> 6.5.8 is out of date, the version I have is non-commercial, I'm not a 
> paying customer.
>
> I'd switch to something else, but gpg et al are not options, we get files 
> from commercial entities who use the commercial version of pgp. We must be 
> able to exchange keys, decrypt and verify the latest PGP formats, not the 
> 2.x format.
>
> We know that GPG v1.0.6 is NOT vulnerable. Anyone have another PGP version?
>
> Andrew McAllister
> University of Missouri
>
> > -----Original Message-----
> > From: Rich Henning [mailto:vulnerable () fast net]
> snip
> > I was unable to reproduce this behavior using GPGv1.0.6 on
> > linux-2.4.18 x86
> > in fact, i was even warned that the encrypted message was modified:
> snip
> >       gpg: WARNING: encrypted message has been manipulated!
> snip