Mutt and EFAIL
Kevin J. McCarthy
2018-05-19 23:03:27 UTC
I've received a few questions about EFAIL and whether this release has
any related changes, so I hope you'll forgive me for sending a second
mutt-announce email today.

For those unaware, https://efail.de/ disclosed an attack on OpenPGP and
S/MIME emails this past week. The researchers reported mutt-1.7.2 was
not successfully attacked.

So, the short answer is no, mutt-1.10.0 has no changes made as a result
of EFAIL, and the pgp/smime configuration variable changes in this
release are unrelated.

I am neither a security researcher nor a cryptographer, but here are my
current takeaways and suggestions:

* If you are using a version of mutt before 1.6.0 and rely on OpenPGP
encryption, please upgrade. 1.6.0 introduced $pgp_decryption_okay,
which scans the GnuPGP status output for a successful decryption code.

* Please make sure you update your config to the values suggested
in contrib/gpg.rc (again, in particular $pgp_decryption_okay).

* Opening a decrypted email in an external browser should be considered
unsafe. Part of the attack was due to HTML injection.

* I don't believe autoviewing dumped HTML via lynx, elinks, etc is an
issue. However, the researchers did not specifically test that.