oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

PGP/MIME and S/MIME mail clients vulnerabilities

From: Yves-Alexis Perez <corsac () debian org>
Date: Mon, 14 May 2018 10:05:20 +0200
I guess most people have already saw  this, but just in case, it seems that a
vulnerability in PGP/MIME and S/MIME handling in various mail clients will be
published tomorrow.

Debian Security team didn't get any private information yet, but there have
been multiple twitter threads and blog posts published already:

https://twitter.com/seecurity/status/995906576170053633
https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-
bugs-can-reveal-encrypted-e-mails-uninstall-now/
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-
require-you-take-action-now

GnuPG has posted a tweet (https://twitter.com/gnupg/status/995931083584757760)
indicating it's likely a vulnerability in mail clients themselves and not in
the protocol, and which is related to HTML mail handling.

The vulnerabilities apparently enable an attacker to decrypt previous mails,
but my (wild) guess is that the attack actually requests decryption from the
mail client (which has access to the private key), rather than by actually
decrypting itself.

Regards,
-- 
Yves-Alexis Perez - Debian Security

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: