Vulnerability Development mailing list archives
RE: PGP spoof decrypted output?
From: "McAllister, Andrew" <McAllisterA () umsystem edu>
Date: Fri, 7 Jun 2002 15:53:00 -0500
Yes, the behavior you are seeing with gpg is exactly the behavior I would expect with PGP. In my opinion, PGP should warn and error out when decrypting an encrypted and signed file that has data appended to it. It should not simply take the appended data and overwrite the output of the encrypted/signed message when in batch mode. Does anyone think I should raise this a level and contact NAI/McAfee? Anyone know of a contact point? Problems I see trying to get a fix are: 6.5.8 is out of date, the version I have is non-commercial, I'm not a paying customer. I'd switch to something else, but gpg et al are not options, we get files from commercial entities who use the commercial version of pgp. We must be able to exchange keys, decrypt and verify the latest PGP formats, not the 2.x format. We know that GPG v1.0.6 is NOT vulnerable. Anyone have another PGP version? Andrew McAllister University of Missouri
-----Original Message----- From: Rich Henning [mailto:vulnerable () fast net]
snip
I was unable to reproduce this behavior using GPGv1.0.6 on linux-2.4.18 x86 in fact, i was even warned that the encrypted message was modified:
snip
gpg: WARNING: encrypted message has been manipulated!
snip
Current thread:
- PGP spoof decrypted output? McAllister, Andrew (Jun 06)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 07)
- Re: PGP spoof decrypted output? Brian Hatch (Jun 07)
- Re: PGP spoof decrypted output? Rich Henning (Jun 07)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 10)
- Re: PGP spoof decrypted output? Rich Henning (Jun 10)
- Re: PGP spoof decrypted output? Roger Burton West (Jun 08)
- Re: PGP spoof decrypted output? Olaf Kirch (Jun 07)
- <Possible follow-ups>
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 07)
- Re: PGP spoof decrypted output? Rich Henning (Jun 07)
- RE: PGP spoof decrypted output? Tony (Jun 07)
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 07)
- RE: PGP spoof decrypted output? Lincoln Yeoh (Jun 07)
- Re: PGP spoof decrypted output? Benjamin Elijah Griffin (Jun 10)
- RE: PGP spoof decrypted output? McAllister, Andrew (Jun 10)
- Re: PGP spoof decrypted output? Jamil Ozelin (Jun 11)