Bug Affects KGPG's Versions From 0.6 to 0.8.2

[Adam Pavelec]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From http://devel-home.kde.org/~kgpg/bug.html

- -----BEGIN QUOTE-----

Grave security bug reported (06.11.02) :

Affects:
Bug affects Kgpg's versions from 0.6 to 0.8.2. 

Description:
A bug in Kgpg's key generation affects all secret keys generated
through Kgpg's wizard. (Bug does not affect keys created in
console/expert mode). All keys created through the wizard have
an empty passphrase, which means that if someone has access to
your computer and can read your secret key, he/she can decrypt
your files whitout the need of a passphrase. 

Why this bug, is Kgpg insecure ? This bug happened because the
way the passphrase was sent to GnuPG was incorrect. Thus,
passphrase was considered empty. Basically, Kgpg is just a
frontend that sends command line arguments to GnuPG. So, there
shouldn't be security issues, except when the sent commands are
wrong... I always tried to be very careful... If some users
think it is usefull, I could introduce a paranoia mode that
displays each command before executing it. 

What can you do:
We strongly recommend that you delete all secret created with
the wizard. You can also edit the key and give it a new
passphrase, however, the key may have been compromised in the
meantime.
All Kgpg's users are also strongly advised to update to version
0.9.

Sorry for all inconveniences... 

- -----END QUOTE-----



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0

iD8DBQE90A9vDwRQnkBSh2sRAiRZAKDccjmOX6xRSA4K8KnrBFYaobas8gCfTbKN
S+09uJVmJCYqJw2NlYQCZlM=
=rd47
-----END PGP SIGNATURE-----