Bug Affects KGPG's Versions From 0.6 to 0.8.2
Mon Nov 11 21:13:01 2002
-----BEGIN PGP SIGNED MESSAGE-----
- From http://devel-home.kde.org/~kgpg/bug.html
- -----BEGIN QUOTE-----
Grave security bug reported (06.11.02) :
Bug affects Kgpg's versions from 0.6 to 0.8.2.
A bug in Kgpg's key generation affects all secret keys generated
through Kgpg's wizard. (Bug does not affect keys created in
console/expert mode). All keys created through the wizard have
an empty passphrase, which means that if someone has access to
your computer and can read your secret key, he/she can decrypt
your files whitout the need of a passphrase.
Why this bug, is Kgpg insecure ? This bug happened because the
way the passphrase was sent to GnuPG was incorrect. Thus,
passphrase was considered empty. Basically, Kgpg is just a
frontend that sends command line arguments to GnuPG. So, there
shouldn't be security issues, except when the sent commands are
wrong... I always tried to be very careful... If some users
think it is usefull, I could introduce a paranoia mode that
displays each command before executing it.
What can you do:
We strongly recommend that you delete all secret created with
the wizard. You can also edit the key and give it a new
passphrase, however, the key may have been compromised in the
All Kgpg's users are also strongly advised to update to version
Sorry for all inconveniences...
- -----END QUOTE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0
-----END PGP SIGNATURE-----