Vulnerabilities > CVE-2007-1264 - Unspecified vulnerability in Enigmail

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
enigmail
nessus
exploit available

Summary

Enigmail 0.94.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Enigmail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.

Exploit-Db

descriptionKMail 1.x GnuPG Arbitrary Content Injection Vulnerability. CVE-2007-1264. Remote exploit for linux platform
idEDB-ID:29690
last seen2016-02-03
modified2007-03-05
published2007-03-05
reporterGerardo Richarte
sourcehttps://www.exploit-db.com/download/29690/
titleKMail 1.x GnuPG Arbitrary Content Injection Vulnerability

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-432-1.NASL
    descriptionGerardo Richarte from Core Security Technologies discovered that when gnupg is used without --status-fd, there is no way to distinguish initial unsigned messages from a following signed message. An attacker could inject an unsigned message, which could fool the user into thinking the message was entirely signed by the original sender. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28026
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28026
    titleUbuntu 5.10 / 6.06 LTS / 6.10 : gnupg vulnerability (USN-432-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-059.NASL
    descriptionGnuPG prior to 1.4.7 and GPGME prior to 1.1.4, when run from the command line, did not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components. This could allow a remote attacker to forge the contents of an email message without detection. GnuPG 1.4.7 is being provided with this update and GPGME has been patched on Mandriva 2007.0 to provide better visual notification on these types of forgeries.
    last seen2020-06-01
    modified2020-06-02
    plugin id24809
    published2007-03-12
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24809
    titleMandrake Linux Security Advisory : gnupg (MDKSA-2007:059)