Re: mutt/580: mutt stores PGP passphrase insecurely
The following reply was made to PR mutt/580; it has been noted by GNATS.
From: Derek Martin <invalid@xxxxxxxxxxxxxx>
To: bug-any@xxxxxxxxxxxxx
Cc: Mutt Developers <mutt-dev@xxxxxxxx>, "Marco d'Itri" <md@xxxxxxxx>,
96144@xxxxxxxxxxxxxxx
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date: Thu, 6 Oct 2005 22:27:50 -0400
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
On Wed, Oct 05, 2005 at 05:55:17AM +0200, Brendan Cully wrote:
> Synopsis: mutt stores PGP passphrase insecurely
> State-Changed-From-To: open->closed
> State-Changed-Why:
> Mutt can use gpg-agent, which pushes this problem outside of mutt's domain.
Er, well, come on... just because Mutt *can* use an auxiliary program
to handle encryption passphrases securely doesn't mean mutt itself
should completely ignore the issue. As shipped, mutt is vulnerable.
Admittedly this is not a severe issue, but it is a legitimate security
concern. I think this really ought to be re-opened.
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail. Sorry for the inconvenience. Thank the spammers.
--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFDRd0mHEnASN++rQIRApDeAJ0YWRLNxZO+2t3pnqhy6QIynUemiACfWKqd
TMrjy3W680O1x1yH+EGTm5s=
=cbWN
-----END PGP SIGNATURE-----
--2oS5YaxWCcQjTEyO--