mailcrypt-3.5.x security patch

Sat, 19 Aug 2000 13:33:28 -0700 


Here's a security patch which applies to a security problem introduced
in mailcrypt-3.5 and applying to all mailcrypt-3.5.x versions.

(You have to upgrade to mailcrypt-3.5.5 before applying this patch).

With mailcrypt-3.4 you can optionally specify your PGP key to use if
you have multiple identities, with an entry in your .emacs file which
looks like this:

(set-variable 'mc-pgp-user-id "Adam Back <[EMAIL PROTECTED]>")

Mailcrypt-3.5 introduced pgp5 and gnuPG support.  But they also
changed the variable name.  So if kept your existing .emacs file, they
would silently ignore your user-id selection, and use the default
behavior which is to search for the key with user-id containin as a
substring your unix log in name.

As a result you could for example use mailcrypt's remailer features,
and upgrade to mailcrypt-3.5.5 from mailcrypt-3.4 and end up exposing
the first identity lexically on your secret keyring.

The patch below fixes this problem.

I also enabled Cc, Bcc and optional forged From pasting support for
remailers (some support From pasting).


The rest of this is about minor bug fixes and details.

I don't know enough e-lisp to fix this ChangeLog entry, but it's kind
of sucky.  At least it's documented now.  (I documented it in the
texi).

        * mailcrypt.texi: documented bug with mc-pgp-keydir that you can't
        use ~ in the path.

Here's the NEWS entry:

 Noteworthy changes in Mailcrypt version 3.5.6b1:

 * fixed incompatibility introduced with old version (pre 3.5) 
   .emacs files, which could result in accidentally signing with the wrong
   identity.  Used with remailers, this could lead to identity compromise.

 * enabled Cc, Bcc pasting for remailers.  

 * enabled forged From pasting as remailers support that.

and here's the ChangeLog:

2000-08-19  Adam Back <[EMAIL PROTECTED]>

        * mc-pgp.el: made new pgp2 only variable mc-pgp26-user-id which
        defaults to mc-pgp-user-id which is now version independent.

        * mc-pgp5.el: made mc-pgp50-user-id default to mc-pgp-user-id
        to make old version .emacs files compatible.

        * mc-gpg.el: made mc-gpg-user-id default to mc-pgp-user-id
        to make old version .emacs files compatible.

        * mc-pgp.el: removed requirement that mc-pgp-keydir ends in /

        * mc-pgp.el: noticed bug with mc-pgp-keydir, it won't work if it has
        a ~ in it.  I didn't fix it because I don't know enough e-lisp.

        * mc-remail.el: fixed so it pastes Cc and Bcc, which remailers
        support.  Also enabled From pasting, as some remailers support this.

        * mailcrypt.texi: documented new mc-pgp26-user-id variable, and new
        defaults for mc-pgp50-user-id adn mc-gpg-user-id.

        * mailcrypt.texi: documented Cc, Bcc and From pasting.

        * mailcrypt.texi: documented fact that mc-pgp-keydir is in fact only
        used by pgp26 mode and ignored by pgp5 and gpg.

        * mailcrypt.texi: documented bug with mc-pgp-keydir that you can't
        use ~ in the path.

Adam

begin 644 mailcrypt-3.5.5-3.5.6b1.patch.gz
M'XL("#'VGCD``VUA:6QC<GEP="TS+C4N-2TS+C4N-F(Q+G!A=&-H`.U;:7/;
MQAG^+/^*#6=:D0Y!\19)):EL^:C;U/'$2C/]N`26Y%8@@&`!41R/^MO[O+N+
MBP)IV;%=N1.-AB+V>/>]+ZP\N5@PQV5K+GTWWD:),^B,.J.3BQ4/EN+'<+DS
M,Y[WBKE'CQ\_WK_SZ"U/V)-TR7I3UAO-1M/9H,OZW6[WD>,XA\#>W=@?F(V/
MJS_Z_%Y[P/0#0<7#@.&+\^A;O</I3AQ`84\\OF9/N7O%ON/X>NYNHY6(5<1=
MT0GCY0]8CM_L!T2Y3K2,.L*?`5%/L$!L&`;Z+`S\+;OFL>1S7]AE_;&3*A$[
MTF.;E717@'3DB05/_42Q)+2KJFN85"P(-^P:6,@P8#+P1"3P$20=@\Q1AL6H
M0,,.='-8]IB[IQ``&N17@H6^EY_3$6ON*K:0OE#,#=<13R0HJ9RYC):5(_'\
M>0_,6!V+=7@M//S]+95X`#-8LH(RV*.NQ-:3,0.;%!C&3NI@!&$B7<"80W\V
M,EE5][:93-@F#([I,[YB<D$#*ZX(#F?_(;`RZ3#VBGG2HV4+>4-+YL+EH)3&
M]>XK$IX(PG2Y8L+QI8HJ%`%YZ+=&"`"`C@H)2L15`C9<N(P''GOJNFVK#68]
M6$805!I%84Q8//&Q3P2D:QY[$8=K#4$&RS;C"C#7HMC)[#9P3*H2,IF==1)Q
M(V=`WTV)L0!(2GU'@S/=;FL4L:2BS8LPOJN$W`MVU.1>QU^`>K!`GU.F[5Z;
M%]RMU0VI-4//DJD2'.`$==AJ^QVS=0BEIB/E,@CC?&:DQTCS[W-ZO7(9?+9A
MREP.';%G&Z5*5@+T)2L-GL&S3:=.%[\3QIZ"X0'[E<>!B!G[;J._G/LAH,4=
M6,P/6(_?JFW&XIJO(YBCQE`C#XN3"Q##8T7J`&.$0_5\\<C;X^-?/__U;8T?
MIN%:STX31[^"_)_`739F_?ZL-YD-IYJ:/4Y=[RG[\_&L.YA!#O?UY[W<G[\.
M$P&C359;YNI0H47]C^S(W./8HV?6IS^V%BB#S/M(7R9;/"=QZ*7D*[0HRTZK
M&<6"X+1L5"@[L<QDW3#UR54I<H=`A+NN)/?-?40(!>V"*AO()/M-'`9+`TRO
M`@:P[U]4=GINQFUMOQ:Z+[A'@LRV:`<*4Y$J<Z`@+_,/F3U9,]*VFH/%87<V
M8,%RQZ^06ZGS*#RQBOLA0AC-C.;BR)=!^N9E#L_&OB(:&![8O5#=5:P=:Z_3
M[>S5WL(\A5^C>.7I6FTN+]C1ZGYOUNT=TNK*WFJVTN_.>L/]VMWO#MK][M1H
M.&-G9[>WMX9+9V?OWKTCC8AS'PPW_@UKPOFZX(KV=!E[&YJ&1@O[:!X;:#81
MZ\B!(Q)N$L9;UCA)UE&#!,`:CY]E@5N0V\C70+GF@F4N,I=C9Q>TC0".<E>(
MR^P80^8K^;\2>!'H_82C78H3`)X`$B\S^K5-_T[ZQ_.OC`$_4?((<]E1Q5DI
MU,A@$=YWG=.[]\K^/<R(HMQ!7:<%[S$E6E)C3./[&9/>O6-.E/\?"!:G[?XP
M,Z9SM86/]P3ETC=L$3`W,JIUKD3"+E]=_OB\$#`T2P__\_G/;U_]]-HXK&SP
MES?/GEP^?T9XI%"\_K1-!$PL-+G04L*##E$:!:O/OQL%,&0/$CT@H?FPBT0=
M7X;#27LX&F><,1%KS1-HI-+Q2"4QN?MS0O9=-9._/3,AJ%3"T(%Z95.O\<.E
M#)R`KT7KMF-B@LE]S#YH&D6/!<65-R_?').WC]?<!Q0+LUT40<8Z-$X+&8/.
M<,'.8:*K=PBDM_2DT46>`Y8@SZ)(=AF"1VNYEJZ%/Q<K?BU#I/?$.(U%7J/A
M`(-[HP%D+RMS4@&0BH0+;KJTDFRYWQEW;LXJK"F2W5N=:N5SI9P7,[$`.$+7
M#6,D!E$8>,3DW)WID$Q'C#I=#4>'Q8Z1Z*N%3ATW/$@RIO`2W0SYH-`I9D#K
MXKP2(YA9NH$E@+062O$E,G@$=04@2&:HBN'Q,C4E55@08-T5B;%Y22*4E(%L
M(Z%UVZC1)-/N/]0H4R-LQ.^_3*K/.)5IM,62KBHZE:4ULWTJU2:++TT5U=@!
M;2/\(051:!>@E*KS6I&TJ>!%A4S(/E"UJ_-FD^&P/1EU,V]&/"$\SZ_FWKL+
MQ+03%M\2^%AL8@DED@8]GJ>RE*O*`(>1Q'0!#S#B6@0H<(7.L%7"X\10B)I7
MQ4B\B6S;T``QH4K.LMJ._9L<,J6OH2+*>49[%HJ+*C,6D<]=HYCG"B7;N\OP
MEODRL#DOU]Z>QE_CV"7RWDC9^;D`$0+H:@LKTVI%=WYMPDS>;X"0P73(^EIX
MSDJ3H+"NR,XWTO?94J"^Y`GAQT0<@U'26(>/&J!@F2U:->>`!/2+/,)D.(8H
MQIE'^$,4*.("&)\R".F2"'!D4G(G\#$W:^K\9/480:$"R-9#*J^^X*9^%O!Z
M,`\4FH#S(O3]<)-&3A*VV:O`(1JV^H&JMK:N^6PKR9B2,.6<\8A*KB-?+K8$
MJ%SD52I#XW+STDPWO[(>F>Y7&5$0`,!92(&Z-"U(%IY,-$OG*?EK.I9[GMD3
M;J@5`Z%I'ZZWMOY'NEN;/`ZFPS8^IJ5^P[#;;>-C6B1TI!#?PH?/H6#?]XQ'
MIAZ+=7PL3),H3>Z25?2%3.%MPYNH>F:S`@'*E`R0F^XP\VL0PO/*F(("Y204
M-P!*MZIT16V:6-5092OU5PLSO!)I+"%WEX`OK/:1!D!$[=R,UCQ(=><B$6!S
MD:)2T(<^&GF6PH(.^P"(F@FQ),F8D>&01_HJF6V8TY5!=U8ODF&W3_R?9+Z^
M">B_[;39&B<4S]1)Q!/_I(.)$UVLG0NPA3JQ)(IO*ND$OL26<@5-T1F#R0YL
MJ]F[+<(A+2^81AQ#;(I\P15U6ZV54*.$ZSY@\SRZ0:1[=Q&3*:A;H^%&F7I$
M3+^;*=.G("9O+S+36]2^5EM.8)WFBMK"18&;=:[#A4U.-WQK0)FFE@NQPP/%
MX3+F:V6:4FR10@MTOY*9E%FE[A6DG6IN`E`$G*&OFU7(PKFQ6INVP=KJ&^2$
MJNFF?V)>[RUMLW9I7=&9S=47M-GLT>4J-;7L*>MV9_W!;'BXELTWELO8_@R5
M;.]T?QD['K=/!WE/")2[,I(0J.X&"KC;)$:8`XO#`(GW$C;HQ6$4V>8A-&+A
M\^52]^\RO]A4"5QHK.&13/0N7B1I)$JP-A,7W)9TR;&:C)HR9+;BGD[C0ACT
MNF44L=01*;\6NI/08RDU75["1[UZ1G&MDCSF+=#=+@O!)+5C#7QK``!%-`(B
M;H2;)MJ]U>WQH%\^WSHJX/'",2Z9!=*WO1_2-.A5&+$TTAPED';5!J1#5>'F
M`J:W$QMUA6!;5B2<T[QA]9"%<W;V`>(Y.[NG@"I"+[_(W"=T%%.'8*)<\HM>
M+U9A_9US*M@CQN\<O?/XD8A0%`0#'KP6'G!PYK5GO2<R<_L<G)D]NDP%^UOJ
MPS>Q[I2ZUZ/1>QR<W5AU<(/A;#@ZT/;NM_M%3+=!EQWG\%LF(GQ:1;LC(X)I
MY(IOF5P)R`&YTIX/E2N!O*]W`6<&18+PA3AS+Q.LOA?^K$:(-;KK]N`E5INS
MGJ**F.3=B2-]A:29ORAWN(^,2SG4+-$=$];<.F'L!$[$&F_IF1"PKO\OK-%J
M$3U'3<K(`@.ODC>6P27$Y'P!Y>5-N\H/PZM4)YD:E3O2LJ<P+=<FM82PM,6:
M)CXU7H<:6E&&E-H]X$.KC!>U>S8>C1S1Z=Q-Y#6"E6/'38]\#!;U,S5_V"PJ
ME/[+,:E6KR:G[=XT3PO-SUXZCP,!@VY9=Y'Q%_@1^0>)KU.,#`31;7HG6=+#
MBNZ=`WH=,G26G5!:UJ1W=OCT8L.T8HI.T$HQF8*^4:84GYF^7:E^;@IKH^!P
MVNXCOF:>HFE[)DVD?X[Y[J#"IDP/.-@![4LU!CQ>*DUD(#::,J,\V1T$(AO4
M982E<&/./,0?'F^-,_YX1W&6\^I^5F#OI12&D!^>2;KD'?JC'MB2I]@/FBV[
M:O39&%.G/X,!DH7!I/`(31]U0Y/\H`OG"*V]EG$8Z&Y[S5CK(YAK>9GQ^/?J
MT0=RJ^I,BX,+;\K8OI@S&`S;@V&W<"]?`;-VM>L+L:M.UX;=7GO8/<US=N17
M:9#)5`;`,G&B=.Y+UY#Q9]/!Y#[+C,WR^\.-N<HWRCWK%:I"HV9ZTY<J88VB
M78N4\=LYO:^DMP#TX/-@F2*+^%X$>'2N;OBBP<K`BC37#=>D"(7O-T<8K[^@
M5Y%TE%WU_9]48V=C2V_(HMVP.VB7^LH/AY]EG?MJ.%JKL:-)>S@>EO(E`_F8
MS$)X,&[/T6]SCHXLV)V)5F47I.#,!54SU4W5\;M[2L>4MQ2'?%/:8#E?+-W-
M4<RMJ+]#(Q8"3(=U9]WEX;@+<L>E].GK([<F*:LG^'`'9'2H!3(ZW`.AZ:,7
ML=1-$-:G"ZJ#R:P[>7\39%33YL7F`U=;^[WW=T&*87$3"3>YVW>M7K[^A+T1
M0,6G*`IN4:ZXZ<[*,0T>OZ?X-F!4`4;5@5'W`W-=@+FN`W.]"T8GE+WW]U3N
MQ><OU6<IR_.]?98=3_%A;1;P[?]6]`><1/[_&/76G$_O<Q3Y@H]P%<7>LK/H
MS8;Z[OS^JXW3/LKC27&%3^@;.'3+C/+5=928*]Q&WI$2J1<&V[7A9Y6E!]ZP
MD_(<-QO%K0-PNG3I`$^E6P>-ENV?_=7<R=!O])5]*V'PLO#IE=V*J]6:QU?,
MGF5(,!=#]+]Y:#3UVT5)+_ATI@']-7?*%(.=9:^5"[@65OFZF&DF6&[E-]4>
M`+<PAY/QY\+%QU/7?:#\J].^T\FX?3H=WBDU]94*I:N(G$]T+\<Q$PXG+%H?
M4SQI`/K9W-O(LU:Z?"T5)RX[YOI)X^*BD:>7-=,O]+RS=_YI>;].1(O#;95$
M-XI`,1CHT`4DV[1L7*S"4-^0RZ^:A/9&TXPUF&5.('UD89""FSCZLJ0M`3*>
=[E:D7Y:G9V<'N7IHP=-[\?V+\O6_I+ZTI,`Z``!.
`
end

Reply via email to