<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/580: mutt stores PGP passphrase insecurely



The following reply was made to PR mutt/580; it has been noted by GNATS.

From: Derek Martin <invalid@xxxxxxxxxxxxxx>
To: bug-any@xxxxxxxxxxxxx
Cc: Mutt Developers <mutt-dev@xxxxxxxx>, "Marco d'Itri" <md@xxxxxxxx>,
   96144@xxxxxxxxxxxxxxx
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date: Thu, 6 Oct 2005 22:27:50 -0400

 --2oS5YaxWCcQjTEyO
 Content-Type: text/plain; charset=iso-8859-1
 Content-Disposition: inline
 
 On Wed, Oct 05, 2005 at 05:55:17AM +0200, Brendan Cully wrote:
 > Synopsis: mutt stores PGP passphrase insecurely
 > State-Changed-From-To: open->closed
 > State-Changed-Why:
 > Mutt can use gpg-agent, which pushes this problem outside of mutt's domain.
 
 Er, well, come on...  just because Mutt *can* use an auxiliary program
 to handle encryption passphrases securely doesn't mean mutt itself
 should completely ignore the issue.  As shipped, mutt is vulnerable.
 
 Admittedly this is not a severe issue, but it is a legitimate security
 concern.  I think this really ought to be re-opened.
 
 -- 
 Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
 -=-=-=-=-
 This message is posted from an invalid address.  Replying to it will result in
 undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.
 
 
 --2oS5YaxWCcQjTEyO
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.1 (GNU/Linux)
 
 iD8DBQFDRd0mHEnASN++rQIRApDeAJ0YWRLNxZO+2t3pnqhy6QIynUemiACfWKqd
 TMrjy3W680O1x1yH+EGTm5s=
 =cbWN
 -----END PGP SIGNATURE-----
 
 --2oS5YaxWCcQjTEyO--