Page MenuHome GnuPG
Create Task
Maniphest T2138

Gpgol 1.3.0 beta might leak plaintext if it is deactivated at the wrong time
Closed, ResolvedPublic
Actions

Description

GpgOL 1.3.0 replaces the body of a mail / decrypts attachments at runtime in the
read event. This is ok because it also catches write events and encrypts
attachments / wipes the mail body again in those events.

But in case GpgOL is deactivated through Outlook options we no longer see the
write event and so we don't wipe the mail. Leaking plaintext.

The workaround for that issue is clear "Don't deactivate GpgOL" but we can fix
this if we keep track of all Mailitems that need to be wiped and wipe them when
our Addin instance is released / deleted.

Details

Version
1.3.0-beta

Related Objects

Event Timeline

aheinecke added projects: Windows, gpg4win, gpgol, Windows 32, Bug Report.Oct 28 2015, 12:37 PM
aheinecke set Version to 1.3.0-beta.
aheinecke added subscribers: emanuel, aheinecke.
aheinecke added a comment.Nov 2 2015, 5:56 PM

Fixed with: b942f73

If GpgOL is deactivated it cleans up after itself and wipes the plaintext from
mails / session encrypts attachments.
If that fails it shows a warning message.

aheinecke closed this task as Resolved.Nov 2 2015, 5:56 PM
aheinecke mentioned this in T1837: GPGOL causes Outlook to crash.Mar 30 2017, 7:16 PM
aheinecke mentioned this in T1106: Deinstalling gpg4win leaves encrypted messages decrypted.