Bug#898634: kmail: efail attack against S/MIME

To: Sandro Knauß <hefee@debian.org>
Cc: 898634@bugs.debian.org, security@debian.org
Subject: Bug#898634: kmail: efail attack against S/MIME
From: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 16 May 2018 12:52:31 +0200
Message-id: <[🔎] 323debc9faf01ffa99791905834557e9405ceb42.camel@debian.org>
Reply-to: Yves-Alexis Perez <corsac@debian.org>, 898634@bugs.debian.org
In-reply-to: <[🔎] 1988677.5Mz2IOqD99@tuxin>
References: <[🔎] 152630478232.31531.13923733201808973896.reportbug@scapa> <[🔎] 2665536.enFCP7PGD3@tuxin> <[🔎] 6bd0aaef73649a230af5bc380cb50ecbe36245ee.camel@debian.org> <[🔎] 1988677.5Mz2IOqD99@tuxin> <[🔎] 152630478232.31531.13923733201808973896.reportbug@scapa>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, 2018-05-16 at 12:33 +0200, Sandro Knauß wrote:
> > Thanks, that's good to know.
> 
> Should I prepare a update with those patches for stable?

Yes I think it'd be worth it.
> 
> > > For a more detailed look for KMail and EFail see the dot.kde article:
> > > 
> > > https://dot.kde.org/2018/05/15/efail-and-kmail
> > 
> > That article indicates KMail uses GnuPG for S/MIME, which I find a bit
> > weird. 
> Okay it is simplyfied a lot - but in the end... GPGME itself using gpg-agent 
> etc. to request the work, so in the end it is the normal GnuPG pipeline, that 
> is doing the work, without parsing comandline output :) But for more detailed 
> look I wrote a blog post about the whole crypto stack some while ago:
> https://exote.ch/blogs/sandro/kontact-and-gnupg-under-windows/

There's a misunderstanding. My point isn't about PGP/MIME (which is indeed
handled by gnupg, even if through gpgme), but about S/MIME, which I really
don't think it handled by anything related to gnupg.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlr8DW8ACgkQ3rYcyPpX
RFsDIAf8DJe2LkURVnSyWskcAW9zer3zZHkHsWke9FhFbRIzulbMMco4s6bNSGnC
n2jh2VdA/6vdNKPq5LqczAmiZVto8OOeX6unWhoJ/egvTiVgCQLdnnT7NHOh5VXM
2GDssF2DQmvI/rE5WYzNr51DunqAeodzhZeZfGOfjBqugKTgj3bhAiQglvti/Q+L
Y40nQf0yD+00DkDlTcuJGXJSN52HbsepraoS80z3t22SUSwXdEn+dhTMDw+Lh0qh
Kq7AZIrHUT6EvhsIqV75OsJb56+xjOHaGnuSa01SjRooF+ACnG2WPh4W88C/77gq
zlQqqwW8dWws2SdcO3LSKn055PSKow==
=JsqI
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Bug#898634: kmail: efail attack against S/MIME
  - From: Sandro Knauß <hefee@debian.org>

References:
- Bug#898634: kmail: efail attack against S/MIME
  - From: Yves-Alexis Perez <corsac@debian.org>
- Bug#898634: kmail: efail attack against S/MIME
  - From: Sandro Knauß <hefee@debian.org>
- Bug#898634: kmail: efail attack against S/MIME
  - From: Yves-Alexis Perez <corsac@debian.org>
- Bug#898634: kmail: efail attack against S/MIME
  - From: Sandro Knauß <hefee@debian.org>

Prev by Date: Bug#898634: kmail: efail attack against S/MIME
Next by Date: Bug#898634: kmail: efail attack against S/MIME
Previous by thread: Bug#898634: kmail: efail attack against S/MIME
Next by thread: Bug#898634: kmail: efail attack against S/MIME
Index(es):
- Date
- Thread