[sylpheed:36707] Is Sylpheed vulnerable to Efail?

Stefan A. stefan.a at portblue.net
Sun May 20 09:09:17 JST 2018


Lately, there have been a lot of news on Efail, a vulnerability found
in many email clients which allows attackers to reveal the content of
PGP-encrypted emails:
https://arstechnica.com/information-technology/2018/05/decade-old-efail-attack-can-decrypt-previously-obtained-encrypted-e-mails/

Apparently, the bug relates to how email clients parse HTML email. The
official technical paper looked at a number of clients and found that
Claws is one of the few which is not vulnerable:
https://efail.de/efail-attack-paper.pdf

Since Sylpheed and Claws share many similarities, and since parsing of
HTML emails in Sylpheed is intentionally basic, is it safe to assume
that Sylpheed is not vulnerable to Efail?




More information about the Sylpheed mailing list