The branch "master" has been updated. The following is a summary of the commits.
from: f3bceee701eb5f6c6f69c718e1f4ad578b8d0d7a ef329a8 mitigate efail 7a3a722 Enforce MDC when encrypting symmetrically. 1c054ce Always check STDERR. 64d67c7 Add unit tests for MDC verification. 1d95aef [jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <[email protected]>). Summary: https://github.com/horde/Crypt/compare/f3bceee701eb...1d95aeff1674 ----------------------------------------------------------------------- commit ef329a890572c6381ddf6d491a55423d9de0a0cb Author: Immerda <[email protected]> Date: Mon, 14 May 2018 22:47:33 +0200 mitigate efail This commit prevents the gpg backend from decrypting non integrity protected messages. The efail [0] vurneability relies on the attacker being able to inject content into an encrypted mail. According to [1], the correct way of detecting if decryption succeeded is not to check the return code. Instead the `--status-fd` should be checked for DECRYPTION_OKAY. Imp currently displays the decrypted body (including the gpg warning) in the message pane. This opens up decryption oracle attacks. [0] https://efail.de/ [1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS M lib/Horde/Crypt/Pgp/Backend/Binary.php https://github.com/horde/Crypt/commit/ef329a890572c6381ddf6d491a55423d9de0a0cb ----------------------------------------------------------------------- commit 7a3a722de2f6f9c99c155dede41571e954524c95 Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:30:46 +0200 Enforce MDC when encrypting symmetrically. M lib/Horde/Crypt/Pgp/Backend/Binary.php M test/Horde/Crypt/fixtures/pgp_encrypted_symmetric.txt https://github.com/horde/Crypt/commit/7a3a722de2f6f9c99c155dede41571e954524c95 ----------------------------------------------------------------------- commit 1c054ce750c99229cadb75e81b80b49047d1cfb9 Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:31:13 +0200 Always check STDERR. M lib/Horde/Crypt/Pgp/Backend/Binary.php https://github.com/horde/Crypt/commit/1c054ce750c99229cadb75e81b80b49047d1cfb9 ----------------------------------------------------------------------- commit 64d67c72ed26a380f21cd7542cb0f8d1197c10ed Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:31:46 +0200 Add unit tests for MDC verification. M test/Horde/Crypt/Pgp/TestBase.php A test/Horde/Crypt/fixtures/mdc/correct A test/Horde/Crypt/fixtures/mdc/correct-withoutcrc A test/Horde/Crypt/fixtures/mdc/manipulated-withoutmdc A test/Horde/Crypt/fixtures/mdc/manmessage A test/Horde/Crypt/fixtures/mdc/public-key.gpg A test/Horde/Crypt/fixtures/mdc/secret-key.gpg A test/Horde/Crypt/fixtures/mdc/testmessage A test/Horde/Crypt/fixtures/mdc/withoutmdc A test/Horde/Crypt/fixtures/mdc/wrongmdc https://github.com/horde/Crypt/commit/64d67c72ed26a380f21cd7542cb0f8d1197c10ed ----------------------------------------------------------------------- commit 1d95aeff1674f8bfe534ffb2d5376368d328862e Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:35:12 +0200 [jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <[email protected]>). M doc/Horde/Crypt/CHANGES M doc/Horde/Crypt/changelog.yml M package.xml https://github.com/horde/Crypt/commit/1d95aeff1674f8bfe534ffb2d5376368d328862e -- commits mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: [email protected]
