GNOME Bugzilla – Bug 551235
seahorse plugin in evolution decrypts files in .evolution and leaves them there!
Last modified: 2008-09-07 22:00:37 UTC
Please describe the problem: There is a serious security hole in the Seahorse plugin for Evolution. When you click on an attachment and choose the "Decrypt file" option, it decrypts the file under ./.evolution/cache/tmp/evolution-tmp-XXXXXX, without noticing the user. Once you close Evolution, the "clear" file remains there! So 1) you did not read the attachment from Evolution (thus making this plugin useless), and 2) the "clear" attachment is still on the disk! Thanks, Steps to reproduce: Actual results: Expected results: Does this happen every time? Yes Other information: This bug was reported on Launchpad: https://bugs.edge.launchpad.net/ubuntu/+source/seahorse/+bug/176454
Could you check how the evolution plugin is decrypting files, if it's calling seahorse-tool it's a bug for us, if not it's an evolution bug as we didn't write that plugin.
I've run evolution with strace evolution 2>&1 | grep seahorse and when i open the attachment there is open("/usr/share/applications/seahorse-pgp-encrypted.desktop", O_RDONLY|O_LARGEFILE) = 45 in which seahorse-tool --decrypt will be exceuted. So I guess its a seahorse issue.
Ok, thanks. It's a dup then.Thanks for the bug report. This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find. *** This bug has been marked as a duplicate of 414235 ***