[commits] Crypt branch FRAMEWORK_5_2 updated. 13fc791cdde31c2e577b466d3036744dbe50de0b
jan at horde.org
jan at horde.org
Tue May 15 20:44:08 UTC 2018
The branch "FRAMEWORK_5_2" has been updated.
The following is a summary of the commits.
from: 15f7313c59d46ca61beedfec11a2fcafc599f381
927ae98 mitigate efail
612cfec Enforce MDC when encrypting symmetrically.
6031580 Add unit tests for MDC verification.
bd4916f [jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <admin at immerda.ch>).
2eee0a6 Typo
13fc791 Update changelogs.
Summary: https://github.com/horde/Crypt/compare/15f7313c59d4...13fc791cdde3
-----------------------------------------------------------------------
commit 927ae980964fc31b6c7058e8ac7c44eb5e6fbab3
Author: Immerda <admin at immerda.ch>
Date: Tue, 15 May 2018 22:42:45 +0200
mitigate efail
This commit prevents the gpg backend from decrypting non integrity
protected messages. The efail [0] vurneability relies on the attacker
being able to inject content into an encrypted mail.
According to [1], the correct way of detecting if decryption succeeded
is not to check the return code. Instead the `--status-fd` should be
checked for DECRYPTION_OKAY.
Imp currently displays the decrypted body (including the gpg warning)
in the message pane. This opens up decryption oracle attacks.
[0] https://efail.de/
[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS
M lib/Horde/Crypt/Pgp/Backend/Binary.php
https://github.com/horde/Crypt/commit/927ae980964fc31b6c7058e8ac7c44eb5e6fbab3
-----------------------------------------------------------------------
commit 612cfec226c15c519645d398eebd1b500f69c449
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:42:45 +0200
Enforce MDC when encrypting symmetrically.
M lib/Horde/Crypt/Pgp/Backend/Binary.php
M test/Horde/Crypt/fixtures/pgp_encrypted_symmetric.txt
https://github.com/horde/Crypt/commit/612cfec226c15c519645d398eebd1b500f69c449
-----------------------------------------------------------------------
commit 6031580f5d8858ee1238f00b557d315e5d891b48
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:42:45 +0200
Add unit tests for MDC verification.
M test/Horde/Crypt/Pgp/TestBase.php
A test/Horde/Crypt/fixtures/mdc/correct
A test/Horde/Crypt/fixtures/mdc/correct-withoutcrc
A test/Horde/Crypt/fixtures/mdc/manipulated-withoutmdc
A test/Horde/Crypt/fixtures/mdc/manmessage
A test/Horde/Crypt/fixtures/mdc/public-key.gpg
A test/Horde/Crypt/fixtures/mdc/secret-key.gpg
A test/Horde/Crypt/fixtures/mdc/testmessage
A test/Horde/Crypt/fixtures/mdc/withoutmdc
A test/Horde/Crypt/fixtures/mdc/wrongmdc
https://github.com/horde/Crypt/commit/6031580f5d8858ee1238f00b557d315e5d891b48
-----------------------------------------------------------------------
commit bd4916f786e7d5ff93e7bac4f72602fd12b7d717
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:42:45 +0200
[jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <admin at immerda.ch>).
M doc/Horde/Crypt/changelog.yml
https://github.com/horde/Crypt/commit/bd4916f786e7d5ff93e7bac4f72602fd12b7d717
-----------------------------------------------------------------------
commit 2eee0a6f427a8156e842b64994f1f6c725681047
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:43:35 +0200
Typo
M doc/Horde/Crypt/changelog.yml
https://github.com/horde/Crypt/commit/2eee0a6f427a8156e842b64994f1f6c725681047
-----------------------------------------------------------------------
commit 13fc791cdde31c2e577b466d3036744dbe50de0b
Author: Jan Schneider <jan at horde.org>
Date: Tue, 15 May 2018 22:43:59 +0200
Update changelogs.
M doc/Horde/Crypt/CHANGES
M package.xml
https://github.com/horde/Crypt/commit/13fc791cdde31c2e577b466d3036744dbe50de0b
More information about the commits
mailing list