PGPsdk Key Validity Vulnerability

A vulnerability in PGP's display of key validity has been discovered that could
allow an attacker to fool users into thinking that a valid signature was created
by what is actually an invalid user ID. If the attacker can obtain a signature
on their key from a trusted third party, they can then add a second user ID to
their key which is unsigned. The attacker must then switch the unsigned false
user ID to primary and convince the victim to place the key on their keyring. In
such a case, some of the displays in PGP do not properly identify the false user
ID as invalid because the second user ID is fully valid. Whenever PGP displays
validity information on a per-user ID basis, the display is correct. Thus,
attentive users who examine the user IDs of all public keys which they import to
their keyrings will immediately notice this problem before it could have any
impact. 

This issue was discovered and reported to Network Associates/PGP Security, Inc.
by Sieuwert van Otterloo. 

This issue has been corrected such that all key validity displays in PGP will
properly mark the unsigned user ID as invalid. Hotfixes are now available for
the following products:

PGP Corporate Desktop v7.1 (MacOS9/Win32) 
PGP Personal Security v7.0.3 (MacOS9/Win32) 
PGP Freeware v7.0.3 (MacOS9/Win32) 
PGP E-Business Server v7.1 (Linux/Solaris/AIX/HPUX/Win32) 

Product upgrades are available for the following products: 

PGP E-Business Server v6.5.8x (OS/390) 
PGP E-Business Server v7.0.4 (Linux/Solaris/AIX/HPUX/Win32) 

The diffs for patching the source release of PGP version 6.5.8 can be found in
PGPsdk1.7.8-diffs.zip.