RE: PGP spoof decrypted output?

["McAllister, Andrew" <McAllisterA () umsystem edu>]

Yes, the behavior you are seeing with gpg is exactly the behavior I would expect with PGP. In my opinion, PGP should 
warn and error out when decrypting an encrypted and signed file that has data appended to it. It should not simply take 
the appended data and overwrite the output of the encrypted/signed message when in batch mode.

Does anyone think I should raise this a level and contact NAI/McAfee? Anyone know of a contact point? Problems I see 
trying to get a fix are: 6.5.8 is out of date, the version I have is non-commercial, I'm not a paying customer. 

I'd switch to something else, but gpg et al are not options, we get files from commercial entities who use the 
commercial version of pgp. We must be able to exchange keys, decrypt and verify the latest PGP formats, not the 2.x 
format.

We know that GPG v1.0.6 is NOT vulnerable. Anyone have another PGP version?

Andrew McAllister
University of Missouri

> -----Original Message-----
> From: Rich Henning [mailto:vulnerable () fast net]
snip
> I was unable to reproduce this behavior using GPGv1.0.6 on 
> linux-2.4.18 x86
> in fact, i was even warned that the encrypted message was modified:
snip
>       gpg: WARNING: encrypted message has been manipulated!
snip