OpenPGP project RNP has patched its flagship product after Mozilla Thunderbird, a major user, was found to be saving users’ private keys in plain text.
The newest version of RNP, 0.15.1, saw a fix for the vulnerability which led to a Thunderbird patch last week after confused users wondered why the email client’s master password wasn’t protecting their private keys.
Still tracked as CVE-2021-29956, the number allocated to the Thunderbird vuln, the RNP bug has now been squashed. In the previous version, calling RNP’s rnp_key_unprotect function followed by rnp_key_protect did not lead to private PGP keys being re-encrypted to protect them from being read.
“rnp_key_unprotect decrypts key data and overwrites key protection settings, and stores key data in unprotected form” explained RN ..
Support the originator by clicking the read the rest link below.
