[commits] Crypt branch FRAMEWORK_5_2 updated. 13fc791cdde31c2e577b466d3036744dbe50de0b

jan at horde.org jan at horde.org
Tue May 15 20:44:08 UTC 2018


The branch "FRAMEWORK_5_2" has been updated.
The following is a summary of the commits.

from: 15f7313c59d46ca61beedfec11a2fcafc599f381

927ae98 mitigate efail
612cfec Enforce MDC when encrypting symmetrically.
6031580 Add unit tests for MDC verification.
bd4916f [jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <admin at immerda.ch>).
2eee0a6 Typo
13fc791 Update changelogs.

Summary: https://github.com/horde/Crypt/compare/15f7313c59d4...13fc791cdde3

-----------------------------------------------------------------------

commit 927ae980964fc31b6c7058e8ac7c44eb5e6fbab3
Author: Immerda <admin at immerda.ch>
Date:   Tue, 15 May 2018 22:42:45 +0200

mitigate efail

This commit prevents the gpg backend from decrypting non integrity
protected messages. The efail [0] vurneability relies on the attacker
being able to inject content into an encrypted mail.

According to [1], the correct way of detecting if decryption succeeded
is not to check the return code. Instead the `--status-fd` should be
checked for DECRYPTION_OKAY.

Imp currently displays the decrypted body (including the gpg warning)
in the message pane. This opens up decryption oracle attacks.

[0] https://efail.de/
[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS

 M lib/Horde/Crypt/Pgp/Backend/Binary.php

https://github.com/horde/Crypt/commit/927ae980964fc31b6c7058e8ac7c44eb5e6fbab3

-----------------------------------------------------------------------

commit 612cfec226c15c519645d398eebd1b500f69c449
Author: Jan Schneider <jan at horde.org>
Date:   Tue, 15 May 2018 22:42:45 +0200

Enforce MDC when encrypting symmetrically.

 M lib/Horde/Crypt/Pgp/Backend/Binary.php
 M test/Horde/Crypt/fixtures/pgp_encrypted_symmetric.txt

https://github.com/horde/Crypt/commit/612cfec226c15c519645d398eebd1b500f69c449

-----------------------------------------------------------------------

commit 6031580f5d8858ee1238f00b557d315e5d891b48
Author: Jan Schneider <jan at horde.org>
Date:   Tue, 15 May 2018 22:42:45 +0200

Add unit tests for MDC verification.

 M test/Horde/Crypt/Pgp/TestBase.php
 A test/Horde/Crypt/fixtures/mdc/correct
 A test/Horde/Crypt/fixtures/mdc/correct-withoutcrc
 A test/Horde/Crypt/fixtures/mdc/manipulated-withoutmdc
 A test/Horde/Crypt/fixtures/mdc/manmessage
 A test/Horde/Crypt/fixtures/mdc/public-key.gpg
 A test/Horde/Crypt/fixtures/mdc/secret-key.gpg
 A test/Horde/Crypt/fixtures/mdc/testmessage
 A test/Horde/Crypt/fixtures/mdc/withoutmdc
 A test/Horde/Crypt/fixtures/mdc/wrongmdc

https://github.com/horde/Crypt/commit/6031580f5d8858ee1238f00b557d315e5d891b48

-----------------------------------------------------------------------

commit bd4916f786e7d5ff93e7bac4f72602fd12b7d717
Author: Jan Schneider <jan at horde.org>
Date:   Tue, 15 May 2018 22:42:45 +0200

[jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <admin at immerda.ch>).

 M doc/Horde/Crypt/changelog.yml

https://github.com/horde/Crypt/commit/bd4916f786e7d5ff93e7bac4f72602fd12b7d717

-----------------------------------------------------------------------

commit 2eee0a6f427a8156e842b64994f1f6c725681047
Author: Jan Schneider <jan at horde.org>
Date:   Tue, 15 May 2018 22:43:35 +0200

Typo

 M doc/Horde/Crypt/changelog.yml

https://github.com/horde/Crypt/commit/2eee0a6f427a8156e842b64994f1f6c725681047

-----------------------------------------------------------------------

commit 13fc791cdde31c2e577b466d3036744dbe50de0b
Author: Jan Schneider <jan at horde.org>
Date:   Tue, 15 May 2018 22:43:59 +0200

Update changelogs.

 M doc/Horde/Crypt/CHANGES
 M package.xml

https://github.com/horde/Crypt/commit/13fc791cdde31c2e577b466d3036744dbe50de0b


More information about the commits mailing list