[kleopatra] [Bug 380034] New: Possible exploit: If signed message has added arbitrary text in third line, Kleopatra doesnt warn user that "gpg: Invalid armor header:[content of line]"

[lurker69]

https://bugs.kde.org/show_bug.cgi?id=380034

            Bug ID: 380034
           Summary: Possible exploit: If signed message has added
                    arbitrary text in third line, Kleopatra doesnt warn
                    user that "gpg: Invalid armor header:[content of
                    line]"
           Product: kleopatra
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: aheinecke at intevation.de
          Reporter: lurker69 at mail.com
                CC: kdepim-bugs at kde.org, mutz at kde.org
  Target Milestone: ---

When verifying signed message in this format: https://pastebin.com/raw/yEiTHhvF 
anybody can insert any text in third line, and Kleopatra will verify message
and not notify user that Header contained a line that should not be there. 


GPG2.exe or GPG in linux bash show warning:  
gpg: Invalid armor header: [inserted line] https://i.imgur.com/V28UTgJ.jpg

Kleopatra omits this warning and just shows green verification successful
window.
https://i.imgur.com/0w3AasI.jpg


You can reproduce this with: 
https://pastebin.com/raw/yEiTHhvF  <--original unaltered
https://pastebin.com/raw/np4v7ZFM  <--altered message that also verifies in GUI
but shows warning in command prompt 
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x181F01E57A35090F

-- 
You are receiving this mail because:
You are on the CC list for the bug.