-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier Advisory number: CSSA-2003-034.0 Issue date: 2003 November 17 Cross reference: sr883602 fz528211 erg712405 CAN-2003-0255 ______________________________________________________________________________ 1. Problem Description As part of the development of GnuPG 1.2.2, a bug was discovered in the key validation code. This bug causes keys with more than one user ID to give all user IDs on the key the amount of validity given to the most-valid key. CAN-2003-0255 The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0255 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to gnupg-1.2.2-1.i386.rpm OpenLinux 3.1.1 Workstation prior to gnupg-1.2.2-1.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-034.0/RPMS 4.2 Packages d6da27be5c407641dc29f753d96e41fc gnupg-1.2.2-1.i386.rpm 4.3 Installation rpm -Fvh gnupg-1.2.2-1.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-034.0/SRPMS 4.5 Source Packages b1ab55790186abd7997af751b3032721 gnupg-1.2.2-1.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-034.0/RPMS 5.2 Packages 5469dcefe0be50d4d99d4b925a58d453 gnupg-1.2.2-1.i386.rpm 5.3 Installation rpm -Fvh gnupg-1.2.2-1.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-034.0/SRPMS 5.5 Source Packages be6338d319f84f139e8363f64bc6673a gnupg-1.2.2-1.src.rpm 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0255 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr883602 fz528211 erg712405. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements SCO would like to thank The GnuPG Team (David, Stefan, Timo and Werner) ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj+5JjYACgkQbluZssSXDTGX9gCg++EK6pUrwQRfZl54wqUCinB8 itcAniMWmXByl7LyjfSP4chsEK2RcfXa =nik3 -----END PGP SIGNATURE-----