[Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)

Peter Lebbing peter at digitalbrains.com
Mon Jun 11 11:07:58 CEST 2018

(Could you please trim your quotes? Incidentally, this would have
prevented the problem in the first place, both on the first and on your

On 10/06/18 22:50, Jean-David Beyer wrote:
> It says part of your message to me was encrypted and prompted me for my
> passphrase, but it must not have been encrypted with my public key.

It would appear that at least Enigmail (mine is from Debian
stable/stretch) ignores an inline encrypted block if it is indented, but
interprets it if it is quoted *and* indented. So while there was no
attempt to decrypt the block in the first message by Werner, as soon as
it was part of a quote, starting with ">   ", Enigmail will try to
process it. Type in the passphrase "abc" without quotes, and you'll
decrypt the test message part of the announcement.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180611/9c85dcf0/attachment.sig>

More information about the Gnupg-users mailing list