[Bug 302735] [NEW] kmail is epically full of various bugs related to security

LimCore user.ubuntu at limcore.com
Thu Nov 27 09:06:47 UTC 2008 

Public bug reported:

Kmail is a vital source of a vast amount of various interesting bugs and
glitches related to security;

I mean, obviously there is lots of nice work there, and some things
offer a lot functionality, but it seems it needs a bit of re-planning

Let me list some of them.

- failure to store passphrase for OpenPGP (seen on ubuntu 8.04)

- the "Sign" / "Encrypt" buttons for given message are not well-planned, there is no button to set to NOT encrypt (even if the per-user rules will tell to DO encrypt it).
Solution:
  1) calculate "live" all the conditions (the list of recipients and default settings) and based on that show that the message is going to be encrypted or unencrypted  (currently this only depends on the clicking of the Encrypt button while editing)
  2) change this button to a selection:   Encrypt ( )must ( )yes if possible  (*)only if all recipients want ( )no 
  [x] if encrypting then also encrypt to me
  and the kmail/identity setting will allow to set one of thoes 4 as default thing.
then do the same for signing

- while doing that, why not also add this option:
[x] send to BCC in separate emails so that other recipients can not detect BCCs presence based on the list of allowed keys
(I am guessing this is the reason why there are 2 send messages for encrypted emails with BCC recipients)

- currently due to lack of the above thing,  I can NOT send an un-
encrypted email to given address if I previously set to encrypt to this
address...   There is no way to make exception for just 1 email.

- actually, I can, when sending,  set his key to nothing, then I am
asked am I sure that I want to send unencrypted message, I choose yes
send unencrypted... but then the email is sent actually as encrypted
(seen on ubuntus 8.10 kmail)

- the crash related to changing selected message while kmail is waiting
for PIN to be entered

- sometimes kmail pops up a kwallet window with password entry to
unlock.  But this window is often not visible (not on top, but spawned
behind mail kmail window). Seen on ubuntu 8.10 in GNOME

- sometimes kmail just erases the password that was stored for an
offline IMAP account. I think this happens if kmail popped up kwallet
password window but this window was not used

** Affects: kdepim (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  Kmail is a vital source of a vast amount of various interesting bugs and
  glitches related to security;
  
  I mean, obviously there is lots of nice work there, and some things
  offer a lot functionality, but it seems it needs a bit of re-planning
  
  Let me list some of them.
  
  - failure to store passphrase for OpenPGP (seen on ubuntu 8.04)
  
  - the "Sign" / "Encrypt" buttons for given message are not well-planned, there is no button to set to NOT encrypt (even if the per-user rules will tell to DO encrypt it).
  Solution:
    1) calculate "live" all the conditions (the list of recipients and default settings) and based on that show that the message is going to be encrypted or unencrypted  (currently this only depends on the clicking of the Encrypt button while editing)
-   2) change this button to a selection:   Encrypt ( )must ( )yes is possible  (*)only if all recipients want ( )no 
+   2) change this button to a selection:   Encrypt ( )must ( )yes if possible  (*)only if all recipients want ( )no 
+   [x] if encrypting then also encrypt to me
    and the kmail/identity setting will allow to set one of thoes 4 as default thing.
  then do the same for signing
+ 
+ - while doing that, why not also add this option:
+ [x] send to BCC in separate emails so that other recipients can not detect BCCs presence based on the list of allowed keys
+ (I am guessing this is the reason why there are 2 send messages for encrypted emails with BCC recipients)
  
  - currently due to lack of the above thing,  I can NOT send an un-
  encrypted email to given address if I previously set to encrypt to this
  address...   There is no way to make exception for just 1 email.
  
  - actually, I can, when sending,  set his key to nothing, then I am
  asked am I sure that I want to send unencrypted message, I choose yes
  send unencrypted... but then the email is sent actually as encrypted
  (seen on ubuntus 8.10 kmail)
  
  - the crash related to changing selected message while kmail is waiting
  for PIN to be entered
  
  - sometimes kmail pops up a kwallet window with password entry to
  unlock.  But this window is often not visible (not on top, but spawned
  behind mail kmail window). Seen on ubuntu 8.10 in GNOME
  
  - sometimes kmail just erases the password that was stored for an
  offline IMAP account. I think this happens if kmail popped up kwallet
  password window but this window was not used

-- 
kmail is epically full of various bugs related to security
https://bugs.launchpad.net/bugs/302735
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdepim in ubuntu.

More information about the kubuntu-bugs mailing list