ID CVE-2007-1263
Summary GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.
References
Vulnerable Configurations
  • cpe:2.3:a:gnu:gpgme:-:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:gpgme:-:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:gpgme:1.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:gpgme:1.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.2.19:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.9:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.9:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.10:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.10:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:0.9.11:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:0.9.11:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.4:-:win32:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.4:-:win32:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.5:-:win32:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.5:-:win32:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.1.90:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.1.90:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.1.91:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.1.91:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.1.92:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.1.92:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.1:windows:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.1:windows:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.90:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.90:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.91:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.91:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.92:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.92:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.3.93:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.3.93:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:1.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.4.6:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 16-10-2018 - 16:37)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
oval via4
accepted 2013-04-29T04:06:09.942-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.
family unix
id oval:org.mitre.oval:def:10496
status accepted
submitted 2010-07-09T03:56:16-04:00
title GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.
version 30
redhat via4
advisories
  • bugzilla
    id 430489
    title CVE-2007-1263 gnupg/gpgme signed message spoofing
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304025
      • comment gnupg is earlier than 0:1.2.6-9
        oval oval:com.redhat.rhsa:tst:20070106001
      • comment gnupg is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20060266002
    rhsa
    id RHSA-2007:0106
    released 2007-03-06
    severity Important
    title RHSA-2007:0106: gnupg security update (Important)
  • bugzilla
    id 430489
    title CVE-2007-1263 gnupg/gpgme signed message spoofing
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331005
      • comment gnupg is earlier than 0:1.4.5-13
        oval oval:com.redhat.rhsa:tst:20070107001
      • comment gnupg is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20070107002
    rhsa
    id RHSA-2007:0107
    released 2007-03-14
    severity Important
    title RHSA-2007:0107: gnupg security update (Important)
rpms
  • gnupg-0:1.0.7-21
  • gnupg-0:1.2.1-20
  • gnupg-0:1.2.6-9
  • gnupg-debuginfo-0:1.2.1-20
  • gnupg-debuginfo-0:1.2.6-9
  • gnupg-0:1.4.5-13
  • gnupg-debuginfo-0:1.4.5-13
refmap via4
bid 22757
bugtraq 20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability
confirm
debian DSA-1266
fedora
  • FEDORA-2007-315
  • FEDORA-2007-316
mandriva MDKSA-2007:059
misc http://www.coresecurity.com/?action=item&id=1687
mlist [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME
sectrack 1017727
secunia
  • 24365
  • 24407
  • 24419
  • 24420
  • 24438
  • 24489
  • 24511
  • 24544
  • 24650
  • 24734
  • 24875
sgi 20070301-01-P
sreason 2353
suse SUSE-SA:2007:024
trustix 2007-0009
ubuntu
  • USN-432-1
  • USN-432-2
vupen ADV-2007-0835
Last major update 16-10-2018 - 16:37
Published 06-03-2007 - 20:19
Last modified 16-10-2018 - 16:37
Back to Top