The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed.
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
| Link | Tags |
|---|---|
| http://www.gentoo.org/security/en/glsa/glsa-200503-29.xml | third party advisory vendor advisory |
| http://www.osvdb.org/13775 | vdb entry broken link |
| http://www.mandriva.com/security/advisories?name=MDKSA-2005:057 | vendor advisory broken link |
| http://www.kb.cert.org/vuls/id/303094 | third party advisory us government resource |
| http://securitytracker.com/id?1013166 | third party advisory vdb entry |
| http://www.pgp.com/library/ctocorner/openpgp.html | broken link |
| http://www.securityfocus.com/bid/12529 | third party advisory vdb entry |
| http://www.novell.com/linux/security/advisories/2005_07_sr.html | vendor advisory broken link |
| http://eprint.iacr.org/2005/033.pdf | third party advisory technical description |
| http://eprint.iacr.org/2005/033 | third party advisory |