Re: mutt/580: mutt stores PGP passphrase insecurely

To: bug-any@xxxxxxxxxxxxx
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
From: Derek Martin <invalid@xxxxxxxxxxxxxx>
Date: Thu, 6 Oct 2005 22:27:50 -0400
Cc: Mutt Developers <mutt-dev@xxxxxxxx>, "Marco d'Itri" <md@xxxxxxxx>, 96144@xxxxxxxxxxxxxxx
In-reply-to: <E1EN0NB-0006XT-Bf@xxxxxxxxxxxxxxxxxxxx>
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?body=unsubscribe>
Mail-followup-to: bug-any@xxxxxxxxxxxxx, Mutt Developers <mutt-dev@xxxxxxxx>, Marco d'Itri <md@xxxxxxxx>, 96144@xxxxxxxxxxxxxxx
References: <mutt-pr-580@xxxxxxxxxxxxx> <E1EN0NB-0006XT-Bf@xxxxxxxxxxxxxxxxxxxx>
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Mutt/1.5.9i

On Wed, Oct 05, 2005 at 05:55:17AM +0200, Brendan Cully wrote:
> Synopsis: mutt stores PGP passphrase insecurely
> State-Changed-From-To: open->closed
> State-Changed-Why:
> Mutt can use gpg-agent, which pushes this problem outside of mutt's domain.

Er, well, come on...  just because Mutt *can* use an auxiliary program
to handle encryption passphrases securely doesn't mean mutt itself
should completely ignore the issue.  As shipped, mutt is vulnerable.

Admittedly this is not a severe issue, but it is a legitimate security
concern.  I think this really ought to be re-opened.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

Attachment: pgpNItXAtleey.pgp
Description: PGP signature

References:
- Re: mutt/580: mutt stores PGP passphrase insecurely
  - From: Brendan Cully

Prev by Date: Re: Change of "important" character
Next by Date: Re: Change of "important" character
Previous by thread: Re: mutt/580: mutt stores PGP passphrase insecurely
Next by thread: Re: mutt/580: mutt stores PGP passphrase insecurely
Index(es):
- Date
- Thread