On Fri, Feb 06, 2009 at 03:15:17PM -0800, Daniel Moerner wrote: > Package: iceweasel-firegpg > Version: 0.5.dfsg-1 > Severity: grave > Tags: security > Justification: user security hole > > Hi, Debian is currently set to release iceweasel-firegpg in Lenny. > Unfortunately, > as the firegpg home page explains, version 0.5 suffers from some serious > security > problems. It seems that the gist of it is the unsafe creation and destruction > of > 3 temp files. > > http://securityvulns.com/Udocument757.html > > Upstream did not label their fixing of this in the upstream svn between 0.5.3 > and > 0.6.0. Three revisions are candidates for the fix: r464, r465, or r467. r467 > is the > most likely from a brief glance at the code. However, I do not have the time > or > skill to pull the patch from those revisions that will fix this. > > I am hopeful that we can get this resolved before Lenny releases without the > need > to pull the severely outdated iceweasel-firegpg package, but I'm not sure if > that > is possible.
Quoting from above's web site: When a user receives an encrypted email and asks FireGPG to decrypt it, FireGPG prompts the user for her passphrase and then creates three temporary files. One for the ciphertext, one for the resulting cleartext (!), and one for the user's passphrase (!). The user's passphrase is then written to disk, and the temporary file in which it resides is passed to the gpg executable as a command-line argument. The cleartext from the decrypt operation is then written to disk as well, from where it is subsequently read and displayed to the user. The same process occurs for emails that are being encrypted and signed. Notably, in the latter cases the pre-encrypted cleartext is written to disk, as is the passphrase for the signing key. I think we should rather remove it altogether. The above's likely only the tip of the iceberg. Anyone who insists to continue to use firegpg can still install it through the XPI installer. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org