Version 1.1.2 of GPGee has been released. This release fixes a newly
identified security issue.
In previous versions of GPGee, the mechanism that was intended to
overwrite passphrases after they were used had a flaw that prevented
this from occuring. This makes is more likely (though still not very)
that a passphrase could end up being written in the clear to the Windows
swap file.
In addition to fixing the above issue, version 1.1.2 has much more
robust internal handling of passphrases all around. All memory used for
passphrase handling is now locked to prevent it being swapped out.
Also, a better caching mechanism is in place to cache all passphrases
entered during a single verify/decrypt operation. You never have to
enter a passphrase for a particular key more than once when multiple
files are verified/decrypted in a single operation. For security
reasons, passphrases are still not ever cached longer than a single
operation.
For those of you who are unfamilliar with the program, GPGee is the
GnuPG Explorer Extension - a Windows shell extension front end for GnuPG
that gives you access to GnuPG functionality directly through the
Windows explorer right-click context menu.
More information (including a full discussion of the new version, the
security flaw, and its implications) and downloads are available from:
http://gpgee.excelcia.org
Kurt Fitzner
identified security issue.
In previous versions of GPGee, the mechanism that was intended to
overwrite passphrases after they were used had a flaw that prevented
this from occuring. This makes is more likely (though still not very)
that a passphrase could end up being written in the clear to the Windows
swap file.
In addition to fixing the above issue, version 1.1.2 has much more
robust internal handling of passphrases all around. All memory used for
passphrase handling is now locked to prevent it being swapped out.
Also, a better caching mechanism is in place to cache all passphrases
entered during a single verify/decrypt operation. You never have to
enter a passphrase for a particular key more than once when multiple
files are verified/decrypted in a single operation. For security
reasons, passphrases are still not ever cached longer than a single
operation.
For those of you who are unfamilliar with the program, GPGee is the
GnuPG Explorer Extension - a Windows shell extension front end for GnuPG
that gives you access to GnuPG functionality directly through the
Windows explorer right-click context menu.
More information (including a full discussion of the new version, the
security flaw, and its implications) and downloads are available from:
http://gpgee.excelcia.org
Kurt Fitzner
Attached Files:
-
signature.asc (0.53 KB)