The branch "FRAMEWORK_5_2" has been updated. The following is a summary of the commits.
from: 15f7313c59d46ca61beedfec11a2fcafc599f381 927ae98 mitigate efail 612cfec Enforce MDC when encrypting symmetrically. 6031580 Add unit tests for MDC verification. bd4916f [jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <[email protected]>). 2eee0a6 Typo 13fc791 Update changelogs. Summary: https://github.com/horde/Crypt/compare/15f7313c59d4...13fc791cdde3 ----------------------------------------------------------------------- commit 927ae980964fc31b6c7058e8ac7c44eb5e6fbab3 Author: Immerda <[email protected]> Date: Tue, 15 May 2018 22:42:45 +0200 mitigate efail This commit prevents the gpg backend from decrypting non integrity protected messages. The efail [0] vurneability relies on the attacker being able to inject content into an encrypted mail. According to [1], the correct way of detecting if decryption succeeded is not to check the return code. Instead the `--status-fd` should be checked for DECRYPTION_OKAY. Imp currently displays the decrypted body (including the gpg warning) in the message pane. This opens up decryption oracle attacks. [0] https://efail.de/ [1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS M lib/Horde/Crypt/Pgp/Backend/Binary.php https://github.com/horde/Crypt/commit/927ae980964fc31b6c7058e8ac7c44eb5e6fbab3 ----------------------------------------------------------------------- commit 612cfec226c15c519645d398eebd1b500f69c449 Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:42:45 +0200 Enforce MDC when encrypting symmetrically. M lib/Horde/Crypt/Pgp/Backend/Binary.php M test/Horde/Crypt/fixtures/pgp_encrypted_symmetric.txt https://github.com/horde/Crypt/commit/612cfec226c15c519645d398eebd1b500f69c449 ----------------------------------------------------------------------- commit 6031580f5d8858ee1238f00b557d315e5d891b48 Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:42:45 +0200 Add unit tests for MDC verification. M test/Horde/Crypt/Pgp/TestBase.php A test/Horde/Crypt/fixtures/mdc/correct A test/Horde/Crypt/fixtures/mdc/correct-withoutcrc A test/Horde/Crypt/fixtures/mdc/manipulated-withoutmdc A test/Horde/Crypt/fixtures/mdc/manmessage A test/Horde/Crypt/fixtures/mdc/public-key.gpg A test/Horde/Crypt/fixtures/mdc/secret-key.gpg A test/Horde/Crypt/fixtures/mdc/testmessage A test/Horde/Crypt/fixtures/mdc/withoutmdc A test/Horde/Crypt/fixtures/mdc/wrongmdc https://github.com/horde/Crypt/commit/6031580f5d8858ee1238f00b557d315e5d891b48 ----------------------------------------------------------------------- commit bd4916f786e7d5ff93e7bac4f72602fd12b7d717 Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:42:45 +0200 [jan] Enforce MDC verification when decrypting PGP messages to mitigatet EFAIL attacks (Immerda <[email protected]>). M doc/Horde/Crypt/changelog.yml https://github.com/horde/Crypt/commit/bd4916f786e7d5ff93e7bac4f72602fd12b7d717 ----------------------------------------------------------------------- commit 2eee0a6f427a8156e842b64994f1f6c725681047 Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:43:35 +0200 Typo M doc/Horde/Crypt/changelog.yml https://github.com/horde/Crypt/commit/2eee0a6f427a8156e842b64994f1f6c725681047 ----------------------------------------------------------------------- commit 13fc791cdde31c2e577b466d3036744dbe50de0b Author: Jan Schneider <[email protected]> Date: Tue, 15 May 2018 22:43:59 +0200 Update changelogs. M doc/Horde/Crypt/CHANGES M package.xml https://github.com/horde/Crypt/commit/13fc791cdde31c2e577b466d3036744dbe50de0b -- commits mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: [email protected]
