Security News > 2021 > June > OpenPGP library RNP updates after Thunderbird decrypt-no-recrypt bug squashed
OpenPGP project RNP has patched its flagship product after Mozilla Thunderbird, a major user, was found to be saving users' private keys in plain text.
Still tracked as CVE-2021-29956, the number allocated to the Thunderbird vuln, the RNP bug has now been squashed.
In the previous version, calling RNP's rnp key unprotect function followed by rnp key protect did not lead to private PGP keys being re-encrypted to protect them from being read. "Rnp key unprotect decrypts key data and overwrites key protection settings, and stores key data in unprotected form" explained RNP in an advisory about the vuln.
When Thunderbird's previous OpenPGP key management flow called rnp key unprotect as part of the mail client's process for decrypting PGP-protected emails, the result was that the keys themselves were decrypted and left in plain text on the host device's hard drive.
Although another function exists in RNP to achieve the desired effect of temporarily decrypting the keys, it appeared nobody in either RNP or Mozilla had realised how different the two similar-sounding functions were.
"Upgrading to RNP 0.15.1 fixes this issue. If unprotected keys have been saved outside of RNP, a re-protection step needs to apply," said RNP, noting that the latest version of Thunderbird implements auto-re-protection so your private keys aren't left unencrypted for any passing baddie to sniff out.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/06/02/openpgp_rnp_library/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-24 | CVE-2021-29956 | Cleartext Storage of Sensitive Information vulnerability in Mozilla Thunderbird OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. | 4.3 |