Vulnerability Development mailing list archives
RE: PGP spoof decrypted output?
From: Lincoln Yeoh <lyeoh () pop jaring my>
Date: Sat, 08 Jun 2002 10:51:42 +0800
I think it is a genuine problem - a nasty one too.You could try contacting NAI, but they seemed to have semi-imploded recently so may not be as helpful. See http://www.pgp.com/
Try contacting the sales and ask for a tech - that works sometimes :).The 6.5.8 source seems to be still around - http://www.pgpi.org/cgi/download.cgi?filename=pgpsrc658win32.zip
Any idea where to start the fix?BTW: Isn't GPG compatible with the commercial PGPs used by your corresponding commercial entities?
Cheerio, Link. At 03:53 PM 6/7/02 -0500, McAllister, Andrew wrote:
Yes, the behavior you are seeing with gpg is exactly the behavior I would expect with PGP. In my opinion, PGP should warn and error out when decrypting an encrypted and signed file that has data appended to it. It should not simply take the appended data and overwrite the output of the encrypted/signed message when in batch mode.Does anyone think I should raise this a level and contact NAI/McAfee? Anyone know of a contact point? Problems I see trying to get a fix are: 6.5.8 is out of date, the version I have is non-commercial, I'm not a paying customer.I'd switch to something else, but gpg et al are not options, we get files from commercial entities who use the commercial version of pgp. We must be able to exchange keys, decrypt and verify the latest PGP formats, not the 2.x format.We know that GPG v1.0.6 is NOT vulnerable. Anyone have another PGP version? Andrew McAllister University of Missouri > -----Original Message----- > From: Rich Henning [mailto:vulnerable () fast net] snip > I was unable to reproduce this behavior using GPGv1.0.6 on > linux-2.4.18 x86 > in fact, i was even warned that the encrypted message was modified: snip > gpg: WARNING: encrypted message has been manipulated! snip
Current thread:
- Re: PGP spoof decrypted output?, (continued)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 07)
- Re: PGP spoof decrypted output? Brian Hatch (Jun 07)
- Re: PGP spoof decrypted output? Rich Henning (Jun 07)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 10)
- Re: PGP spoof decrypted output? Rich Henning (Jun 10)
- Re: PGP spoof decrypted output? Roger Burton West (Jun 08)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 07)
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 07)
- Re: PGP spoof decrypted output? Rich Henning (Jun 07)
- RE: PGP spoof decrypted output? Tony (Jun 07)
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 07)
- RE: PGP spoof decrypted output? Lincoln Yeoh (Jun 07)
- Re: PGP spoof decrypted output? Benjamin Elijah Griffin (Jun 10)
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 10)
- Re: PGP spoof decrypted output? Jamil Ozelin (Jun 11)