Информационная безопасность
[RU] switch to English


Подстановка неподписанного содержимого во многих приложениях использующих GnuPG
Опубликовано:6 марта 2007 г.
Источник:
SecurityVulns ID:7351
Тип:клиент
Уровень опасности:
6/10
Описание:При отображении содержимого сообщения некорректно показываются границы подписанного текста.
Затронутые продукты:MUTT : mutt 1.5
 GNU : GnuPG 1.4
 KDE : KMail 1.9
 ENIGMAIL : Enigmail 0.94
 GNOME : Evolution 2.8
 SYLPHEED : Sylpheed 2.2
 GNUMAIL : GNUMail 1.1
CVE:CVE-2007-1269 (GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1268 (Mutt 1.5.13 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Mutt from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1267 (Sylpheed 2.2.7 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Sylpheed from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1266 (Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1265 (KMail 1.9.5 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents KMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1264 (Enigmail 0.94.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Enigmail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.)
 CVE-2007-1263 (GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.)
Оригинальный текстdocumentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability (06.03.2007)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород