{"vuid":"VU#397604","idnumber":"397604","name":"GnuPG contains flaw in key validation code","keywords":["GnuPG","key validation code","trust path"],"overview":"A vulnerability in GnuPG may cause keys with multiple user ID's to give other user IDs on the key a false amount of validity.","clean_desc":"From the GnuPG homepage: GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc. A vulnerability in GnuPG may cause keys with multiple user ID's to give other user IDs on the key a false amount of validity. From the GnuPG announcement: As part of the development of GnuPG 1.2.2, a bug was discovered in the key validation code. This bug causes keys with more than one user ID to give all user IDs on the key the amount of validity given to the most-valid key.","impact":"A user encrypting a message using GnuPG may not be warned if the target user key being encrypted to has an \"insufficient or no trust path\".","resolution":"Apply a patch from your vendor. If a patch is not available, you may wish to apply the patch produced by the GnuPG team.","workarounds":"","sysaffected":"","thanks":"This vulnerability was discovered by the GnuPG Team. The CERT/CC thanks the GnuPG Team for providing information upon which this document is based.","author":"This document was written by Ian A Finlay.","public":["http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000268.html","http://www.gnupg.org/(en)/documentation/faqs.html#q1.1","http://www.iss.net/security_center/static/11930.php","http://www.securityfocus.com/bid/7497"],"cveids":["CVE-2003-0255"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-05-05T16:24:29Z","publicdate":"2003-05-03T00:00:00Z","datefirstpublished":"2003-05-20T20:10:29Z","dateupdated":"2003-07-14T18:19:12Z","revision":10,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"20","cam_impact":"10","cam_easeofexploitation":"5","cam_attackeraccessrequired":"20","cam_scorecurrent":"6.75","cam_scorecurrentwidelyknown":"8.625","cam_scorecurrentwidelyknownexploited":"16.125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":6.75,"vulnote":null}