CVE-2007-1263
First published: Tue Mar 06 2007(Updated: )
GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GnuPGME | <=1.1.3 | |
| GnuPG 2 (Gnu Privacy Guard) | <=1.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.coresecurity.com/?action=item&id=1687
- http://www.securityfocus.com/bid/22757
- http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html
- https://issues.rpath.com/browse/RPL-1111
- http://www.debian.org/security/2007/dsa-1266
- http://fedoranews.org/cms/node/2776
- http://fedoranews.org/cms/node/2775
- http://www.redhat.com/support/errata/RHSA-2007-0106.html
- http://www.redhat.com/support/errata/RHSA-2007-0107.html
- http://www.ubuntu.com/usn/usn-432-1
- http://www.ubuntu.com/usn/usn-432-2
- http://www.securitytracker.com/id?1017727
- http://secunia.com/advisories/24365
- http://secunia.com/advisories/24420
- http://secunia.com/advisories/24438
- http://secunia.com/advisories/24489
- http://secunia.com/advisories/24511
- http://secunia.com/advisories/24544
- http://lists.suse.com/archive/suse-security-announce/2007-Mar/0008.html
- http://secunia.com/advisories/24734
- http://secunia.com/advisories/24650
- http://support.avaya.com/elmodocs2/security/ASA-2007-144.htm
- http://secunia.com/advisories/24875
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:059
- http://www.trustix.org/errata/2007/0009/
- http://secunia.com/advisories/24407
- http://secunia.com/advisories/24419
- http://securityreason.com/securityalert/2353
- http://www.vupen.com/english/advisories/2007/0835
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10496
- http://www.securityfocus.com/archive/1/461958/30/7710/threaded
- http://www.securityfocus.com/archive/1/461958/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-1263?
CVE-2007-1263 is considered a moderate severity vulnerability due to the potential for message forgery.
How do I fix CVE-2007-1263?
To mitigate CVE-2007-1263, upgrade GnuPG to version 1.4.7 or later and GPGME to version 1.1.4 or later.
What systems are affected by CVE-2007-1263?
CVE-2007-1263 affects GnuPG versions 1.4.6 and earlier and GPGME versions prior to 1.1.4.
What type of attack does CVE-2007-1263 facilitate?
CVE-2007-1263 allows attackers to forge the contents of OpenPGP messages without detection.
How can I confirm if I am vulnerable to CVE-2007-1263?
You can confirm vulnerability to CVE-2007-1263 by checking if your GnuPG or GPGME versions are below the fixed versions.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/gnu
- canonical/gnupgme
- version/gnupgme/1.1.3
- vendor/gnupg
- canonical/gnupg 2 (gnu privacy guard)
- version/gnupg 2 (gnu privacy guard)/1.4.6