Last Updated: 2007-03-07 12:39:48 UTC
by Arrigo Triulzi (Version: 1)
An OpenPGP-compliant message can be made up of multiple sections, not all of which need to be signed or encrypted. The "helpers" and mail software do not use the GnuPG API correctly to interpret where the sections start and end leading to something called "injection" which is a fancy name for "adding untrusted data which is undetectable from trusted data".
Translated: you see the pretty icon telling you that the whole message is encrypted and signed whereas there is a section of it (text, image, binary, whatever) which isn't.
What if you use GnuPG "raw"? Well, the visual cues are insufficient even for an advanced user and this is why a new release of GnuPG is being distributed and relevant CVE numbers were issued.
To give you an idea of the extent of the issue here are the CVE numbers:
- CVE-2007-1263 - for the visual distinction issues in GnuPG itself, all 4 attacks.
- CVE-2007-1264 - Enigmail improper use of --status-fd
- CVE-2007-1265 - KMail improper or non-existing use of --status-fd
- CVE-2007-1266 - Evolution improper or non-existing use of --status-fd
- CVE-2007-1267 - Sylpheed improper or non-existing use of --status-fd
- CVE-2007-1268 - Mutt improper or non-existing use of --status-fd
- CVE-2007-1269 - GNUMail improper or non-existing use of --status-fd