Corporate Desktop v7.1 (MacOS9/Win32), Personal Security v7.0.3 (MacOS9/Win32), Freeware v7.0.3 (MacOS9/Win32), E-Business Server

A remote user could convince a recipient that the PGP key signature is valid when it is not in certain situations.

Network Associates reported a vulnerability in their PGP encryption software that could allow a remote user to convince a recipient that the signature is valid when it is not in certain situations.  The vulnerability is reportedly due to the method that PGP uses to display key validity. A remote user who can obtain a signature on their key from a trusted third party can then add a second user ID to their key which is unsigned. The remote user must then switch the unsigned false user ID to primary and convince the victim to place the key on their keyring. If this situation, it is reported that some of the displays in PGP do not properly identify the false user ID as invalid because the second user ID is fully valid.

The vendor notes that when PGP displays validity information on a per-user ID basis, the display is always correct.

A fix has been issued to ensure that all key validity displays in PGP properly mark the unsigned user ID as invalid.

Hotfixes are reportedly available for the following products:
* PGP Corporate Desktop v7.1 (MacOS9/Win32)
* PGP Personal Security v7.0.3 (MacOS9/Win32)
* PGP Freeware v7.0.3 (MacOS9/Win32)
* PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32)

Product upgrades are available for the following products:
* PGP E-Business Server v6.5.8x (OS/390)
* PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32)

The hotfixes and upgrades are available at:
http://www.pgp.com/naicommon/download/upgrade/upgrades-patch.asp

Vendor address: www.pgp.com/support/product-advisories/pgpsdk.asp

This issue was discovered and reported to Network Associates/PGP Security, Inc. by Sieuwert van Otterloo.