On Fri, Feb 06, 2009 at 03:15:17PM -0800, Daniel Moerner wrote:
> Package: iceweasel-firegpg
> Version: 0.5.dfsg-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi, Debian is currently set to release iceweasel-firegpg in Lenny.
> Unfortunately,
> as the firegpg home page explains, version 0.5 suffers from some serious
> security
> problems. It seems that the gist of it is the unsafe creation and destruction
> of
> 3 temp files.
>
> http://securityvulns.com/Udocument757.html
>
> Upstream did not label their fixing of this in the upstream svn between 0.5.3
> and
> 0.6.0. Three revisions are candidates for the fix: r464, r465, or r467. r467
> is the
> most likely from a brief glance at the code. However, I do not have the time
> or
> skill to pull the patch from those revisions that will fix this.
>
> I am hopeful that we can get this resolved before Lenny releases without the
> need
> to pull the severely outdated iceweasel-firegpg package, but I'm not sure if
> that
> is possible.
Quoting from above's web site:
When a user receives an encrypted email and asks FireGPG to decrypt it,
FireGPG prompts the user for her passphrase and then creates three
temporary files. One for the ciphertext, one for the resulting
cleartext (!), and one for the user's passphrase (!). The user's
passphrase is then written to disk, and the temporary file in which it
resides is passed to the gpg executable as a command-line argument. The
cleartext from the decrypt operation is then written to disk as well,
from where it is subsequently read and displayed to the user. The same
process occurs for emails that are being encrypted and signed. Notably,
in the latter cases the pre-encrypted cleartext is written to disk, as
is the passphrase for the signing key.
I think we should rather remove it altogether. The above's likely only the tip
of the iceberg. Anyone who insists to continue to use firegpg can still
install it through the XPI installer.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
