Re: new gmime/gpg bug

From: Jeffrey Stedfast <fejj ximian com>
To: Albrecht Dreß <albrecht dress arcor de>
Cc: Balsa-Liste <balsa-list gnome org>
Subject: Re: new gmime/gpg bug
Date: Sat, 03 Jul 2004 13:26:05 -0400

I don't see how GMime would change the multipart bounaries. I can only
presume that perhaps Balsa changed them after signing?

If you can show me where GMime went wrong, please do...

Jeff

On Sat, 2004-07-03 at 19:07 +0200, Albrecht Dreß wrote:
> Hi Jeff,
> 
> I discovered a new bug in the gmime cvs (last changelog "2004-06-28  
> Jeffrey Stedfast <fejj ximian com>") when signing multipart/mixed messages  
> in a multipart/signed container (RFC 3156/"GnuPG Mime Mode"). The data fed  
> into the crypto engine for calculating the signature starts with
> 
> <snip>
> Content-Type: multipart/mixed; boundary="=-MfsfHF4t27jt7Mwh0+ur"
> 
> --=-MfsfHF4t27jt7Mwh0+ur
> Content-Type: text/plain; charset=ISO-8859-15; DelSp=Yes; Format=Flowed
> Content-Disposition: inline
> </snip>
> 
> but the data actually sent is
> 
> <snip>
> Content-Type: multipart/mixed; boundary="=-woLHJf8t/672wWPOMxWr"
> 
> --=-woLHJf8t/672wWPOMxWr
> Content-Type: text/plain; charset=ISO-8859-15; DelSp=Yes; Format=Flowed
> Content-Disposition: inline
> </snip>
> 
> Obviously, the "boundary" parameter has changed, and of course this  
> invalidates the signature calculated above.
> 
> For Balsa/HEAD users this means that not only warnings about invalid  
> signatures are unreliable, but that also sent signed messages with  
> attachments will *always* have invalid signatures. So, for the time being  
> I recommend NOT to use GnuPG/MIME crypto with HEAD. OpenPGP should be  
> safe, though. If you need RFC 3156 crypto, please use Balsa 2.0 - it  
> *really* works there!
> 
> Cheers, Albrecht.
>

Follow-Ups:
- Re: new gmime/gpg bug
  - From: Albrecht Dreß

References:
- new gmime/gpg bug
  - From: Albrecht Dreß

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]