mozilla-thunderbird-enigmail: strange behavior with remember passphrase

Automatically imported from Debian bug report #272156 http://bugs.debian.org/272156

Message-Id: <email address hidden>
Date: Fri, 17 Sep 2004 23:42:48 +0200
From: Yoann <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-thunderbird-enigmail: strange behavior with remember passphrase

Package: mozilla-thunderbird-enigmail
Version: 2:0.85.0debian1-1
Severity: grave
Tags: security
Justification: user security hole

I ran a few tests on pgp and may have found a bug (or maybe it's a
feature ?!)

I created 2 different mail accounts on Thunderbird, each with a
different pgp key but both with the same passphrase.

I sent a signed mail from the first account, with the option to
remember the passphrase for 5 minutes checked. When I tried to send
another signed mail from the second account, Enigmail didn't ask me
again for the passphrase, even though the pgp key was different.

Yoann

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1-mm1
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro

Versions of packages mozilla-thunderbird-enigmail depends on:
ii gnupg 1.2.5-3 GNU privacy guard - a free PGP rep
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libgcc1 1:3.4.2-2 GCC support library
ii libstdc++5 1:3.3.4-11 The GNU Standard C++ Library v3
ii mozilla-thunderbird 0.7.3-6 Mozilla Thunderbird standalone mai

-- no debconf information

Not a bug

Message-ID: <email address hidden>
Date: Fri, 17 Sep 2004 15:21:01 -0700
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: Re: Bug#272156: mozilla-thunderbird-enigmail: strange behavior with remember passphrase

tags 272156 - security
thanks

--
 - mdz

Message-ID: <email address hidden>
Date: Sat, 18 Sep 2004 01:29:56 +0200
From: Alexander Sack <email address hidden>
To: Yoann <email address hidden>, <email address hidden>
Subject: Re: Bug#272156: mozilla-thunderbird-enigmail: strange behavior with
 remember passphrase

>I ran a few tests on pgp and may have found a bug (or maybe it's a
>feature ?!)
>
>I created 2 different mail accounts on Thunderbird, each with a
>different pgp key but both with the same passphrase.
>
>
>
What is a mail account in your dictionary? Do you refer to two different
inboxes in the same running thunderbird instance? Or do you mean two
profiles, that is you have to use the profile manager to select it at
startup?

--
 GPG messages preferred. | .''`. ** Debian GNU/Linux **
 Alexander Sack | : :' : The universal
 <email address hidden> | `. `' Operating System
 http://www.jwsdot.com/ | `- http://www.debian.org/

Message-ID: <email address hidden>
Date: Sat, 18 Sep 2004 09:03:42 +0200
From: yoann <email address hidden>
To: <email address hidden>
Subject: Re: Bug#272156: mozilla-thunderbird-enigmail: strange behavior with
 remember passphrase

Alexander Sack a =E9crit :
>=20
>> I ran a few tests on pgp and may have found a bug (or maybe it's a
>> feature ?!)
>>
>> I created 2 different mail accounts on Thunderbird, each with a
>> different pgp key but both with the same passphrase.
>>
> What is a mail account in your dictionary? Do you refer to two differen=
t
> inboxes in the same running thunderbird instance? Or do you mean two
> profiles, that is you have to use the profile manager to select it at
> startup?

It's two different inboxes in the same running thunderbird instance

Yoann

Message-ID: <email address hidden>
Date: Sat, 18 Sep 2004 11:50:41 +0200
From: Alexander Sack <email address hidden>
To: yoann <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#272156: mozilla-thunderbird-enigmail: strange behavior with
 remember passphrase

severity 272156 normal
thanks

reduced severity, since this is not a big problem. Usually only the same
person will use a single thunderbird instance, thus this problem might
even be a feature it it is documented. Nevertheless this is a bug IMHO
and I will send it upstream.

--
 GPG messages preferred. | .''`. ** Debian GNU/Linux **
 Alexander Sack | : :' : The universal
 <email address hidden> | `. `' Operating System
 http://www.jwsdot.com/ | `- http://www.debian.org/

Message-ID: <email address hidden>
Date: Tue, 05 Oct 2004 22:43:38 +0200
From: Alexander Sack <email address hidden>
To: yoann <email address hidden>, <email address hidden>
Subject: Re: Bug#272156: mozilla-thunderbird-enigmail: strange behavior with
 remember passphrase

yoann wrote:

>It's two different inboxes in the same running thunderbird instance
>
>
>
If those two different inboxes have a different key-passwd, are you
asked everytime when switching between them or just for the first time?

--
 GPG messages preferred. | .''`. ** Debian GNU/Linux **
 Alexander Sack | : :' : The universal
 <email address hidden> | `. `' Operating System
 http://www.jwsdot.com/ | `- http://www.debian.org/

Message-ID: <email address hidden>
Date: Wed, 6 Oct 2004 10:17:39 +0200 (CEST)
From: <email address hidden>
To: <email address hidden>
Subject: Re: Bug#272156: mozilla-thunderbird-enigmail: strange behavior withremember passphrase

>>It's two different inboxes in the same running thunderbird instance
>>
> If those two different inboxes have a different key-passwd, are you
> asked everytime when switching between them or just for the first time?

I'm asked everytime when switching between them

Yoann

> --
> GPG messages preferred. | .''`. ** Debian GNU/Linux **
> Alexander Sack | : :' : The universal
> <email address hidden> | `. `' Operating System
> http://www.jwsdot.com/ | `- http://www.debian.org/

What about the certificate? Have you checked it recently?