[Bug 1093836] New: Recent security fix for enigmail breaks e-mail decryption or sender validation
http://bugzilla.suse.com/show_bug.cgi?id=1093836 Bug ID: 1093836 Summary: Recent security fix for enigmail breaks e-mail decryption or sender validation Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: x86-64 OS: Other Status: NEW Severity: Critical Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: manfred.h@gmx.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I just installed enigmail-2.0.4-12.1.x86_64 on my otherwise up-to-date system running openSUSE Leap 42.3, just to figure out that e-mail decryption or sender validation is no longer possible. When I click on an encrypted message received from someone whose public key is already stored in my keyring, I now only see the following: Enigmail: Error - no matching secret found to decrypt message Downgrading to enigmail-1.9.9-9.1 results in a fully working MozillaThunderbird/enigmail combination. Since openSUSE Leap 15.0 already has enigmail-2.0.2 and gpg2-2.2, I booted into Leap 15.0 to run the same test opening the exact same e-mail, and there it works as expected. From reading the enigmail's changelog, it may be caused by the old gpg2 version (2.0.24-8) available on Leap 42.3. Anyway, using enigmail >= 2.0 with gpg2 < 2.2 on Leap 42.3 is a no-go! The released security update for enigmail is not compatible and should be reverted. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1093836
Manfred Hollstein
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c1
Wolfgang Rosenauer
http://bugzilla.suse.com/show_bug.cgi?id=1093836
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c2
Andreas Stieger
Enigmail: Error - no matching secret found to decrypt message
This is normally an indication of mixed used of GnuPG 2.0 and 2.2, e.g. as would happen when sharing a home directory, or when the gpg-agent keeps running.
Downgrading to enigmail-1.9.9-9.1 results in a fully working MozillaThunderbird/enigmail combination.
Hmm interesting.
Since openSUSE Leap 15.0 already has enigmail-2.0.2 and gpg2-2.2, I booted into Leap 15.0 to run the same test opening the exact same e-mail, and there it works as expected.
Can you please cross-check you can decrypt the item with plain gpg 2.0 cli? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1093836
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c4
--- Comment #4 from Manfred Hollstein
(In reply to Manfred Hollstein from comment #0)
Enigmail: Error - no matching secret found to decrypt message
This is normally an indication of mixed used of GnuPG 2.0 and 2.2, e.g. as would happen when sharing a home directory, or when the gpg-agent keeps running.
Downgrading to enigmail-1.9.9-9.1 results in a fully working MozillaThunderbird/enigmail combination.
Hmm interesting.
Since openSUSE Leap 15.0 already has enigmail-2.0.2 and gpg2-2.2, I booted into Leap 15.0 to run the same test opening the exact same e-mail, and there it works as expected.
Can you please cross-check you can decrypt the item with plain gpg 2.0 cli?
Yep, just saved the message to some new file "zoo", then ran "gpg2 --decrypt < zoo" and saw everything being decrypted. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c5
Manfred Hollstein
(In reply to Manfred Hollstein from comment #0)
When I click on an encrypted message received from someone whose public key is already stored in my keyring, I now only see the following:
Enigmail: Error - no matching secret found to decrypt message
Someone's public key has nothing to do with decryption. The problem is locating the secret key to decrypt the message, usually your own.
From reading the enigmail's changelog, it may be caused by the old gpg2 version (2.0.24-8) available on Leap 42.3.
Which changelog entry is that exactly, please?
https://www.enigmail.net/index.php/en/download/changelog#enig2.0 where it talks about: Support for Web Key Directory (WKD) is implemented. Enigmail will try to download unavailable keys during message composition from WKD. If you use GnuPG 2.2.x, and your provider supports the Web Key Service protocol, you can also use Enigmail to upload your key to WKD. which is just *some* reference (admittedly out of scope) to gpg-2.2 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c6
--- Comment #6 from Manfred Hollstein
wolfi@Hygiea:~> rpm -q enigmail enigmail-2.0.4-1.1.x86_64 wolfi@Hygiea:~> rpm -q gpg2 gpg2-2.0.24-8.1.x86_64 wolfi@Hygiea:~> cat /etc/os-release NAME="openSUSE Leap" VERSION="42.3"
So far I've tested a few usecases and I didn't run into issues.
Not sure what is happening for you or what is specific in your error case. Any hints?
Do you share your $HOME between 42.3, 15.0, Tumbleweed? That's exactly what I do here; I have some pre-cautions for ~/.{cache,config,fontconfig,gconf,gkrellm2,gnome2,icewm,kde,kde4,local} by using them as bind-mounts to ~/.OS/os-{distro}/.<directory>, but not for ~/.gnupg as I don't want to keep my private key and related keyrings in more than one directory. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c8
--- Comment #8 from Manfred Hollstein
(In reply to Manfred Hollstein from comment #6)
Do you share your $HOME between 42.3, 15.0, Tumbleweed?
Uh, GnuPG is known to get confused between versions and not find the private key anymore. Much the the opposite of enigmail which is known to work with various GnuPG versions. Maybe something went wrong in this dance?
Maybe, but not that I know of. And, as I wrote, gpg2 < 2.0 and enigmail < 2.0 work on Leap 42.3, gpg2 >= 2.2 and enigmail >= 2.0 also work on Leap 15.0 It would be a very pity if such an important piece like gpg2 couldn't be used in a multi-OS environment with a shared home directory... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c9
--- Comment #9 from Manfred Hollstein
(In reply to Andreas Stieger from comment #7)
(In reply to Manfred Hollstein from comment #6)
Do you share your $HOME between 42.3, 15.0, Tumbleweed?
Uh, GnuPG is known to get confused between versions and not find the private key anymore. Much the the opposite of enigmail which is known to work with various GnuPG versions. Maybe something went wrong in this dance?
Maybe, but not that I know of. And, as I wrote, gpg2 < 2.0 and enigmail < 2.0 work on Leap 42.3, gpg2 >= 2.2 and enigmail >= 2.0 also work on Leap 15.0
It would be a very pity if such an important piece like gpg2 couldn't be used in a multi-OS environment with a shared home directory...
Shit, I meant "gpg2 <= 2.0 and enigmail < 2.0", of course. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c16
--- Comment #16 from Manfred Hollstein
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c17
--- Comment #17 from Manfred Hollstein
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c19
--- Comment #19 from Manfred Hollstein
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c21
--- Comment #21 from Manfred Hollstein
http://bugzilla.suse.com/show_bug.cgi?id=1093836
http://bugzilla.suse.com/show_bug.cgi?id=1093836#c24
--- Comment #24 from Manfred Hollstein
participants (1)
-
bugzilla_noreply@novell.com