Bug 1186464 - Thunderbird stores PGP keys in the clear
Thunderbird stores PGP keys in the clear
Status: RESOLVED DUPLICATE of bug 1186199
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2021-05-26 10:53 UTC by Carlos Robinson
Modified: 2021-05-26 15:27 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carlos Robinson 2021-05-26 10:53:02 UTC

«The vulnerability, assessed as “low” impact by Mozilla, existed in the free open source Thunderbird email client between version 78.8.1 and version 78.10.1 after a crestfallen maintainer realised carefully designed protections were in fact not protecting users’ private OpenPGP keys.

Tracked as CVE-2021-29956, the vuln saw imported OpenPGP keys saved to users’ devices without encryption. A local attacker could therefore have viewed and copied the keys, allowing them to pose as the genuine sender of supposedly secure emails.»

«A few weeks ago some Thunderbird users on the desktop email client’s end-to-end encryption mailing list realised that on opening the program, they were able to view OpenPGP-encrypted emails without entering their master passwords. In Thunderbird, such messages are only supposed to be viewable after authenticating yourself.

“As soon as the user has configured a master password, the first time any of the stored secrets is required by Firefox/Thunderbird, the user will be prompted to enter it,” explained Engert. “If entered correctly, the symmetric key will be unlocked and remembered for the remainder of the session, and any protected secrets can be unlocked as needed.”»

(I commented myself on the later.)

We have Thunderbird version 78.10.0, thus vulnerable.
Comment 1 Andreas Stieger 2021-05-26 15:27:41 UTC

*** This bug has been marked as a duplicate of bug 1186199 ***