Bug#748835: kmail: Information leak when using GPG on Bcc recipients
Package: kmail
Version: 4:4.12.4-1
Severity: normal
Forwarded: https://bugs.kde.org/show_bug.cgi?id=335117
When sending e-mail to several recipients, of which some are Bcc with
the intention to hide them from the other recipients, using GPG leaks
information about those because the used encryption keys are visible on
the encrypted message.
GPG has a -R option that hides the used encryption key, and this method
is most likely also exposed through whatever KMail uses to run GPG. It
should be used for all Bcc recipients in order to not disclose their
existence!
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages kmail depends on:
ii kde-runtime 4:4.12.4-1
ii kdepim-runtime 4:4.12.4-2
ii kdepimlibs-kio-plugins 4:4.12.4-1
ii libakonadi-calendar4 4:4.12.4-1
ii libakonadi-contact4 4:4.12.4-1
ii libakonadi-kde4 4:4.12.4-1
ii libakonadi-kmime4 4:4.12.4-1
ii libakonadiprotocolinternals1 1.12.1-1
ii libc6 2.18-6
ii libcalendarsupport4 4:4.12.4-1
ii libfolderarchive4 4:4.12.4-1
ii libgcc1 1:4.9.0-3
ii libgpgme++2 4:4.12.4-1
ii libgrantlee-core0 0.3.0-5
ii libincidenceeditorsng4 4:4.12.4-1
ii libkabc4 4:4.12.4-1
ii libkalarmcal2 4:4.12.4-1
ii libkcalcore4 4:4.12.4-1
ii libkcalutils4 4:4.12.4-1
ii libkcmutils4 4:4.13.1-1
ii libkdecore5 4:4.13.1-1
ii libkdepim4 4:4.12.4-1
ii libkdeui5 4:4.13.1-1
ii libkio5 4:4.13.1-1
ii libkleo4 4:4.12.4-1
ii libkmime4 4:4.12.4-1
ii libknewstuff3-4 4:4.13.1-1
ii libknotifyconfig4 4:4.13.1-1
ii libkontactinterface4 4:4.12.4-1
ii libkparts4 4:4.13.1-1
ii libkpgp4 4:4.12.4-1
ii libkpimidentities4 4:4.12.4-1
ii libkpimtextedit4 4:4.12.4-1
ii libkpimutils4 4:4.12.4-1
ii libkprintutils4 4:4.13.1-1
ii libksieveui4 4:4.12.4-1
ii libktnef4 4:4.12.4-1
ii libmailcommon4 4:4.12.4-1
ii libmailimporter4 4:4.12.4-1
ii libmailtransport4 4:4.12.4-1
ii libmessagecomposer4 4:4.12.4-1
ii libmessagecore4 4:4.12.4-1
ii libmessagelist4 4:4.12.4-1
ii libmessageviewer4 4:4.12.4-1
ii libnepomukcore4 4:4.12.4-1+b1
ii libpimcommon4 4:4.12.4-1
ii libqt4-dbus 4:4.8.6+dfsg-1
ii libqt4-network 4:4.8.6+dfsg-1
ii libqt4-xml 4:4.8.6+dfsg-1
ii libqtcore4 4:4.8.6+dfsg-1
ii libqtgui4 4:4.8.6+dfsg-1
ii libqtwebkit4 2.2.1-7
ii libsendlater4 4:4.12.4-1
ii libsolid4 4:4.13.1-1
ii libsoprano4 2.9.4+dfsg-1
ii libstdc++6 4.9.0-3
ii libtemplateparser4 4:4.12.4-1
ii perl 5.18.2-4
Versions of packages kmail recommends:
ii gnupg-agent 2.0.22-3
ii gnupg2 2.0.22-3
ii pinentry-gtk2 [pinentry-x11] 0.8.3-2
Versions of packages kmail suggests:
pn clamav | f-prot-installer <none>
ii kaddressbook 4:4.12.4-1
ii kleopatra 4:4.12.4-1
ii procmail 3.22-21
pn spamassassin | bogofilter | annoyance-filter | spambayes | bsfi <none>
-- no debconf information
Reply to: