GnuPG Key Validation Issues Affecting Multiple User IDs
CVE-2003-0255

Currently unrated

Key Information:

Vendor: Gnu
Status: Privacy Guard
Vendor: CVE Published:; 27 May 2003

Summary

The GnuPG key validation mechanism prior to version 1.2.2 is flawed in that it incorrectly assesses the validity of keys associated with multiple user IDs. Instead of analyzing each user ID's trust individually, it defaults to the highest validity level among them. Consequently, this can mislead users during encryption, as they might not receive appropriate warnings when a user ID lacks a trusted path. This oversight could potentially expose sensitive information to unauthorized entities.

References

http://www.turbolinux.com/security/TLSA-2003-34.txt

vendor-advisoryx_refsource_TURBO

http://www.redhat.com/support/errata/RHSA-2003-175.html

vendor-advisoryx_refsource_REDHAT

http://www.osvdb.org/4947

vdb-entryx_refsource_OSVDB

Timeline

Vulnerability published
May 27, 2003
Vulnerability Reserved
May 6, 2003