new gmime/gpg bug

From: Albrecht Dreß <albrecht dress arcor de>
To: Balsa-Liste <balsa-list gnome org>
Cc: Jeffrey Stedfast <fejj ximian com>
Subject: new gmime/gpg bug
Date: Sat, 3 Jul 2004 19:07:56 +0200

Hi Jeff,

I discovered a new bug in the gmime cvs (last changelog "2004-06-28 Jeffrey Stedfast <fejj ximian com>") when signing multipart/mixed messages in a multipart/signed container (RFC 3156/"GnuPG Mime Mode"). The data fed into the crypto engine for calculating the signature starts with

<snip>
Content-Type: multipart/mixed; boundary="=-MfsfHF4t27jt7Mwh0+ur"

--=-MfsfHF4t27jt7Mwh0+ur
Content-Type: text/plain; charset=ISO-8859-15; DelSp=Yes; Format=Flowed
Content-Disposition: inline
</snip>

but the data actually sent is

<snip>
Content-Type: multipart/mixed; boundary="=-woLHJf8t/672wWPOMxWr"

--=-woLHJf8t/672wWPOMxWr
Content-Type: text/plain; charset=ISO-8859-15; DelSp=Yes; Format=Flowed
Content-Disposition: inline
</snip>

Obviously, the "boundary" parameter has changed, and of course this invalidates the signature calculated above.

For Balsa/HEAD users this means that not only warnings about invalid signatures are unreliable, but that also sent signed messages with attachments will *always* have invalid signatures. So, for the time being I recommend NOT to use GnuPG/MIME crypto with HEAD. OpenPGP should be safe, though. If you need RFC 3156 crypto, please use Balsa 2.0 - it *really* works there!

Cheers, Albrecht.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Albrecht Dreß  -  Johanna-Kirchner-Straße 13  -  D-53123 Bonn (Germany)
      Phone (+49) 228 6199571  -  mailto:albrecht dress arcor de
_________________________________________________________________________

Attachment: pgpJHqGcwcnpI.pgp
Description: PGP signature

Follow-Ups:
- Re: new gmime/gpg bug
  - From: Jeffrey Stedfast

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]