Ticket #195 (new Bug)

Opened 1 year ago

Last modified 1 year ago

Does Mulberry parse the gpg status correctly?

Reported by: endresct Owned by: Cyrus Daboo
Priority: major Milestone: unassigned
Component: Plugins Version: v4.0.8
Severity: Security Keywords: gnupg gpg
Cc: Operating System: All
OS Version:

Description

There is a vulnerability in many eMail programs in the way they use GnuPG to verify signed messages: http://www.coresecurity.com/?action=item&id=1687

I was not able to verify if Mulberry is affected too.

Change History

Changed 1 year ago by endresct

  • keywords gpg added
  • os_version deleted

GnuPG has been patched against this problem. Upgrade to at least 1.4.7.

http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html

Changed 1 year ago by endresct

  • summary changed from Does Mulberry use GnuPG with --status-fd an parse the status correctly? to Does Mulberry parse the gpg status correctly?

Using the information from the GnuPG mailing list above I found out that Mulberry after verifying a signature only shows the signed part of a message. Any text that tries to use the vulnerability is not displayed afterwards.

But Mulberry 4.0.8 doesn't show a warning or error message with GnuPG before 1.4.7. So it is half affected: It doesn't recognise the attack but the user can't mistake unsigned text for signed text. Mulberry might do OK by coincidence?

Note: See TracTickets for help on using tickets.