• Original Message ------

From: "Andre Heinecke via BTS" <gnupg@bugs.g10code.com>
To: aheinecke@intevation.de; dr_it@mailbox.org
Sent: 16-1-2017 15:35:25
Subject: [issue2892] GpgOL: Encrypt is selected on Reply/Forward

Well if my wife is representable for a lot of "ordinary" users (and i
think she is), it will be hard to explain it to them and after that let
them remembering it or the future :(
Also this will not be the solution (i think) for when i want to move a
lot of mails (use case: mailbox space full, so want to archive older
mail to local folder by moving them from imap folder)?

Oops wrong, 251 did not yet have it, 253 will have it. Forgot to push the change.

I've added the option. It's in the latest beta (251) from files.gpg4win.org
A beta installer containing this version will be published likely this or next week.

We are aiming for a stable release middle of march.

While this f.e. for my wife will not work, not user friendly enough :(

I'm really really sad to hear that. I was hoping this was acceptable to
"non-technical" users just one of the quirks users eventually get used too :-(

I tried to think about this more but I don't see another solution then:
a) Prevent Outlook from saving any changes after a message was decrypted

• This is the current behavior and leads to the problem.

b) When Outlook want's to save a mail remove the plaintext, restore the
encrypted contents and save the changes to the encrypted mail.

• This has a serious downside that it does trigger a full resync of the mail

because outlook thinks the attachments have changed. When closing Outlook this
also somehow brought Outlook in a state that it kept indefitely syncing a single
mail :-/. It also broke the signatures on singed only mails because the MIME
boundarys could not be restored. In general I found it much more unstable and
buggy then a clear "Sorry you can't do that". :-/

Ok, I found the problem, as we handle the selection changed event in the
messagelist we were trying to decrypt messages even if they were not loaded /
visible in the preview window. That caused a weird state and several errors.

I've fixed it now so that we only decrypt items when a selection changes in an
Explorer that has a visible preview pane. I'll let you know once a beta with
that fix is released.

Thanks again,
Andre

Well if this works, i could live with it temporary, but not indefinitely. While
this f.e. for my wife will not work, not user friendly enough :(
So hopefully you can work this out somewhere in the future, but from you reply i
understand this is not something i should expect soon (or ever)...
I'm also testing EM Client which has promised to come with PGP support, so will
wait a little longer and then decide which (best available) way i'm going to use
(now temporary disabled online encryption).

Thank you for making this an optional setting! Any idea in what release this
will be planned?

Done now

Thanks for testing the beta and your report. I can reproduce some weird crashes
when the preview pane is disabled, too. It's not 100% for me but some times
after sending a crypto mail sometimes later it crashes, sometimes when switching
folders it crashes, very weird. Sometimes the decrypted contents of a mail are
not shown after opening it.

And with preview everything is fine.

Looking into it.

Yes, We fixed that. Sorry I didn't see your bugreport then.

Btw. You can also send such E-Mails encrypted with GpgOL nowadays :-)

http://files.intevation.de/users/aheinecke/gpgol-kitten.png

As a user are these workarounds acceptable to you. < This should have been a
question ;-)

Hi,

Again thanks for your feedback on the GpgOL-Beta. You might want to give the
latest one from http://files.gpg4win.org/Beta/gpgol/ (beta-246 currently) a try
it's much improved and there were several potential crashes fixed. I'm currently
working on an improved certificate selection and certificate details dialog and
then we will release a new gpg4win beta with that.

To your problem: Yes this is a serious problem, but we currently don't have a
solution for this, only a workaround. The workaround is to do the Copy / Move /
Modify while the mail is not shown decrypted. In the current beta:

If you unselect the crypto mail you can move / copy / modify (e.g. flag) the
message through right clicking it.

To save the message as .msg you can drag & drop it (even when opened) to a
target windows explorer folder.

An opened messaage can still be moved to trash. Any other moves will sadly
result in an "File name or directory name is not valid" error.

We inform the user about this only when he tries to modify a mail (see attached
screenshot) we should probably also do that for other things.

The underlying problem is pretty complicated and we spent a lot of time
struggling with that, but basically we must prevent outlook from saving the
decrypted content. Otherwise the mail will break and can no longer be shown in
other MUAs. And worse the Plaintext may be resynced to the server. One
workaround we had was to restore the crypto contents before outlook saved the
mail then decrypt it again. But this caused several other problems. E.g. Outlook
resynced the mail to imap and Signatures might be broken, and if we did this at
the wrong time outlook would do into an indefinite sync loop. So we decided
better to have clear workarounds and be otherwise stable then to have buggy /
strange behavior.

As a user are these workarounds acceptable to you.

Hi,

Thanks for feedback on the beta!

This was actually a feature request and I consider this a feature. Because it's
a security usability problem if someone replies to an encrypted mail in plain
text with a full quote of the originally encrypted mail. KMail for example does
the same preselection.

But I see your usecase. I'll make it optional (a config setting) but the default
will be "enabled".

I tested some more and found out problem is bigger than only move. Copy also
doesn't work, but save message as .msg or exporting to pst folder doesn't work
also. So it seems nothing can be done with message to save or archive it
somewhere else then orginal folder. Tried official stable version of gpgol, but
this has the same problems. Also tried this stuff on android with K9 client and
openkeychain, whereas these problems do not exist, it simple works as expected.

I just tried with latest gpgol (beta 204) and it now seems to work. So bug is
solved already! :)

I could reproduce this by opening two crypto mails in multiple windows this
reliably triggered the crash.

I have not fully understood the crash as it crashed in the close invocation in
outlook. After various trys and improvements to our code (there were some fishy
cleanups) i was able to fix this by closing the inspector of the mailobject
before closing the mail. Outlook apprarently did not like it if I closed a mail
that was active in an inspector but that is a bit speculation.

However, if I turn the reading area/preview are on, anything works fine :/

Hi,

thanks for your message. I installed the gpg4win beta 194 (3.0.0, released at
15th November), however, Outlook now crashes with another error message:
Runtime Error!

Program: C:\Program Files\Microsoft Office\root\Offie16\OUTLOOK.EXE

This application has requested the Runtime to terminate it in an unusual way.
Please contact the acpplication's support team for more information.

The error message occurs, when I _select_ an encrypted/signed message in outlook
(preview window is off, so the message should probably not be loaded, yet). I
can't open the message itself (but I'll need to enter my private key pin).

Is this related to this bug or should I open a new one?

Best,
Florian

I've just announced a new 3.0 beta that contains the updated GpgOL

http://lists.wald.intevation.org/pipermail/gpg4win-devel/2016-November/001659.html

Please let me know if it still crashes for you with that version.

Thanks a lot. I will test as soon as you release the test build.

Hi,

Thanks for testing gpg4win This issue was already reported in T2335 and has
been resolved (but not yet released).

I'll upload a new beta next week.

Regards,
Andre

gpgol 2.0 won't change the messages on the server anymore there might be code
paths leading to that under error conditions but i'm not aware of any. And the
fallback is first to try to revert them.

Still true for sending but for sending we don't have a choice. But decryption is
now done in a different thread.

I've tried this again with the current development version after a very large
refactoring how we handle mails. The bug appears to be gone. I've tested 10
times to send a file with closed / open outlook and with and without encryption
active.

If I install gpg4win-2.3.3 on the same system / setup the crash is reliably
reproducible.

It's still likely that we made a reference counting error internally in code
that was changed / fixed now. And Outlook released the Mail object too early and
crashed.

Kaspersky probably had some similar error in their code.

I'll upload a new Gpg4win beta with the new gpgol next. I'll ping in this issue
once thats done so you could ideally confirm that its fixed now.

That's awesome aheinecke! Honestly wasn't sure if this issue would ever get much
attention. Thanks for the effort in making Gpg4win a more secure product!

Duplicate of T2341

Thanks for your report,

This was already fixed in T2341

Which is currently not yet released. I'm marking this issue here as released
with superseder (duplicate) to keep the tracker clean.

GpgOL is built with DEP and and ASLR now. Need to enable this for GpgEX and some
other parts of Gpg4win, too. So not yet fully resolved but I keep it in mind.

Fixed with: 5579c4b4f

The code was overcomplicated as it was based on a bad assumption about Outlook
which I never questioned myself. We now properly encrypt in the send event so no
need for ticklish threads / callbacks.

Fixed for the next version with 037a5a7ed

Interesting...

The Kaspersky issue is about Outlook 2007... Is that supposed bug really already
THAT old?!