oss-sec mailing list archives

Re: PGP/MIME and S/MIME mail clients vulnerabilities

From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 14 May 2018 10:29:52 +0200

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html hasmore details:

"[...] HTML is used as a back channel to create an oracle for modifiedencrypted mails. It is long known that HTML mails and in particularexternal links like <img href="tla.org/TAG"/> are evil if the MUAactually honors them (which many meanwhile seem to do again; see allthese newsletters). Due to broken MIME parsers a bunch of MUAs seem toconcatenate decrypted HTML mime parts which makes it easy to plant suchHTML snippets."


--
Jakub Wilk

Current thread:

PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Jakub Wilk (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Christian Brabandt (May 14)
  - Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 14)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 15)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 15)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Leo Gaspard (May 15)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 16)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 16)
  - Re: PGP/MIME and S/MIME mail clients vulnerabilities Florian Weimer (May 15)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 16)
    - Re: PGP/MIME and S/MIME mail clients vulnerabilities Matthew Fernandez (May 16)

(Thread continues...)