User Activity
-
Modified
ticket #985
on
Enigmail
Signature Spoofing with PGP Inline and Text Header
-
Posted
a comment
on
ticket #985
on
Enigmail
Proof of concept.
-
Created
ticket #985
on
Enigmail
Signature Spoofing with PGP Inline and Text Header
-
Posted
a comment
on
ticket #860
on
Enigmail
Here is the latest draft of the disclosure document, so you can better understand the key import issue and the context of the attacks.
-
Posted
a comment
on
ticket #860
on
Enigmail
The set-filename issue (filename injection) is CVE-2018-12020. The other issues are bundled as CVE-2018-12019.
-
Posted
a comment
on
ticket #860
on
Enigmail
That seems to be a good idea. You can redirect stderr to a file with --log-file (which requires --batch) or status output to a file with --status-file, or do both. If you also use --output-file, gpg seems to be pretty quiet. Nice catch!
-
Posted
a comment
on
ticket #860
on
Enigmail
Note: I didn't include the key import issue in the patch, because that's not really a vulnerable. It's just something I needed to look at to justify the preconditions of the other attack. So I would argue that has lower priority.
-
Posted
a comment
on
ticket #860
on
Enigmail
I can't test this right now, but here are some specific ideas how to mitigate the exploits.
Personal Data
- Username:
- marcus-b
- Joined:
- 2009-11-12 15:08:49
Projects
- No projects to display.
