Multiple Vendor PGP5 Automatic Key Generation Routine Vulnerability

Solution:
Patching line 1324 of src/lib/ttyui/pgpUserIO.c to look like:
read(fd, &RandBuf, count);

will fix this vulnerability. As there is no error checking in place in that function, it will have no negative impact; ideally, this read should be checked to ensure a byte was actually returned, or the potential for another vulnerability exists.

From NAI Security Advisory:

Users who generated keys in the manner described above are strongly
urged to do the following:

- Revoke and no longer use keys suspected to have this problem

- Generate new public/private keypairs with entropy collected
from users' typing and/or mouse movements

- Re-encrypt any data with the newly generated keypairs that is
currently encrypted with keys suspected to have this problem

- Re-sign any data with the newly generated keypairs, if required

Users are also urged to upgrade to the latest releases of PGP,
as PGP 5.0 products have not been officially supported by Network
Associates since early 1999, or distributed by Network Associates
since June 1998.


PGPi PGPi 5.0 i


 

Privacy Statement
Copyright 2010, SecurityFocus