[commits] Crypt branch master updated. 1d95aeff1674f8bfe534ffb2d5376368d328862e
jan at horde.org
jan at horde.org
Tue May 15 20:35:21 UTC 2018
The branch "master" has been updated.
The following is a summary of the commits.
from: f3bceee701eb5f6c6f69c718e1f4ad578b8d0d7a
ef329a8 mitigate efail
7a3a722 Enforce MDC when encrypting symmetrically.
1c054ce Always check STDERR.
64d67c7 Add unit tests for MDC verification.
1d95aef [jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <admin at immerda.ch>).
Summary: https://github.com/horde/Crypt/compare/f3bceee701eb...1d95aeff1674
-----------------------------------------------------------------------
commit ef329a890572c6381ddf6d491a55423d9de0a0cb
Author: Immerda <admin at immerda.ch>
Date: Mon, 14 May 2018 22:47:33 +0200
mitigate efail
This commit prevents the gpg backend from decrypting non integrity
protected messages. The efail [0] vurneability relies on the attacker
being able to inject content into an encrypted mail.
According to [1], the correct way of detecting if decryption succeeded
is not to check the return code. Instead the `--status-fd` should be
checked for DECRYPTION_OKAY.
Imp currently displays the decrypted body (including the gpg warning)
in the message pane. This opens up decryption oracle attacks.
[0] https://efail.de/
[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS
M lib/Horde/Crypt/Pgp/Backend/Binary.php
https://github.com/horde/Crypt/commit/ef329a890572c6381ddf6d491a55423d9de0a0cb
-----------------------------------------------------------------------
commit 7a3a722de2f6f9c99c155dede41571e954524c95
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:30:46 +0200
Enforce MDC when encrypting symmetrically.
M lib/Horde/Crypt/Pgp/Backend/Binary.php
M test/Horde/Crypt/fixtures/pgp_encrypted_symmetric.txt
https://github.com/horde/Crypt/commit/7a3a722de2f6f9c99c155dede41571e954524c95
-----------------------------------------------------------------------
commit 1c054ce750c99229cadb75e81b80b49047d1cfb9
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:31:13 +0200
Always check STDERR.
M lib/Horde/Crypt/Pgp/Backend/Binary.php
https://github.com/horde/Crypt/commit/1c054ce750c99229cadb75e81b80b49047d1cfb9
-----------------------------------------------------------------------
commit 64d67c72ed26a380f21cd7542cb0f8d1197c10ed
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:31:46 +0200
Add unit tests for MDC verification.
M test/Horde/Crypt/Pgp/TestBase.php
A test/Horde/Crypt/fixtures/mdc/correct
A test/Horde/Crypt/fixtures/mdc/correct-withoutcrc
A test/Horde/Crypt/fixtures/mdc/manipulated-withoutmdc
A test/Horde/Crypt/fixtures/mdc/manmessage
A test/Horde/Crypt/fixtures/mdc/public-key.gpg
A test/Horde/Crypt/fixtures/mdc/secret-key.gpg
A test/Horde/Crypt/fixtures/mdc/testmessage
A test/Horde/Crypt/fixtures/mdc/withoutmdc
A test/Horde/Crypt/fixtures/mdc/wrongmdc
https://github.com/horde/Crypt/commit/64d67c72ed26a380f21cd7542cb0f8d1197c10ed
-----------------------------------------------------------------------
commit 1d95aeff1674f8bfe534ffb2d5376368d328862e
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:35:12 +0200
[jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <admin at immerda.ch>).
M doc/Horde/Crypt/CHANGES
M doc/Horde/Crypt/changelog.yml
M package.xml
https://github.com/horde/Crypt/commit/1d95aeff1674f8bfe534ffb2d5376368d328862e
More information about the commits
mailing list