[Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[David Bremner]

[-- Attachment #0: Type: message/rfc822, Size: 6349 bytes --]

[-- Attachment #1.1: Type: text/plain, Size: 1656 bytes --]

Package: notmuch-emacs
Version: 0.18.1-1
Severity: normal

Thanks for notmuch-emacs!

When sending mail from notmuch-emacs interface, I usually use pgpmine
signatures, but sometimes I want to send a signed encrypted message, so
I manually edit the mode=sign to mode=signencrypt ... but if I make a
typo, i.e. mode=signinvalidencrypt, notmuch happily and without warning
sends the mail unencrypted.

i.e. #secure method=pgpmime mode=signinvalidencrypt will end up
sending an encrypted message (with the <>, of course).

It seems like it should error out if the mode= is set to an invalid or
unknown value, rather than sending mail in the clear.

I've got this set up in ~/.emacs, not sure what all else might be coming
into play:

 '(message-setup-hook (quote (mml-secure-message-sign)))
 '(notmuch-crypto-process-mime t)


live well,
  vagrant


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (120, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
armhf

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages notmuch depends on:
ii  libc6           2.19-9
ii  libglib2.0-0    2.40.0-4
ii  libgmime-2.6-0  2.6.20-1
ii  libnotmuch3     0.18.1-1
ii  libtalloc2      2.1.1-2
ii  zlib1g          1:1.2.8.dfsg-1

Versions of packages notmuch recommends:
ii  alot           0.3.5-2
ii  gnupg-agent    2.0.25-2
ii  notmuch-emacs  0.18.1-1
ii  notmuch-mutt   0.18.1-1
ii  notmuch-vim    0.18.1-1

notmuch suggests no packages.

-- no debconf information

[-- Attachment #1.2: Type: application/pgp-signature, Size: 818 bytes --]

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[Jani Nikula]

On Thu, 28 Aug 2014, Vagrant Cascadian <vagrant@debian.org> wrote:
> When sending mail from notmuch-emacs interface, I usually use pgpmine
> signatures, but sometimes I want to send a signed encrypted message, so
> I manually edit the mode=sign to mode=signencrypt ... but if I make a
> typo, i.e. mode=signinvalidencrypt, notmuch happily and without warning
> sends the mail unencrypted.
> 
> i.e. #secure method=pgpmime mode=signinvalidencrypt will end up
> sending an encrypted message (with the <>, of course).
> 
> It seems like it should error out if the mode= is set to an invalid or
> unknown value, rather than sending mail in the clear.
> 
> I've got this set up in ~/.emacs, not sure what all else might be coming
> into play:
> 
>  '(message-setup-hook (quote (mml-secure-message-sign)))
>  '(notmuch-crypto-process-mime t)

I'm inclined to think this is a bug in message-mode. But we should
probably try to see what we could do to mitigate this.

As a workaround of sorts, I'd suggest not messing with the #secure tag
manually. Instead, you can use mml-secure-message-sign and
mml-secure-message-sign-encrypt to change the mode.

BR,
Jani.

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 450 bytes --]

On 08/30/2014 03:37 AM, Jani Nikula wrote:
> I'm inclined to think this is a bug in message-mode. 

I agree it's a bug in message-mode, not in notmuch itself.

> As a workaround of sorts, I'd suggest not messing with the #secure tag
> manually. Instead, you can use mml-secure-message-sign and
> mml-secure-message-sign-encrypt to change the mode.

the keybindings for those are usually:

 C-c RET s p
 C-c RET c p

hth,

	--dkg



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[Tomi Ollila]

On Tue, Sep 02 2014, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> On 08/30/2014 03:37 AM, Jani Nikula wrote:
>> I'm inclined to think this is a bug in message-mode. 
>
> I agree it's a bug in message-mode, not in notmuch itself.

I think it might be here:

http://bzr.savannah.gnu.org/lh/emacs/emacs-24/annotate/head:/lisp/gnus/mml.el#L258

(it takes time to load, please wait...)

If cond does not match, then don't fail...

Tomi

>
>> As a workaround of sorts, I'd suggest not messing with the #secure tag
>> manually. Instead, you can use mml-secure-message-sign and
>> mml-secure-message-sign-encrypt to change the mode.
>
> the keybindings for those are usually:
>
>  C-c RET s p
>  C-c RET c p
>
> hth,
>
> 	--dkg
>
>
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[David Edmondson]

On Tue, Sep 02 2014, Tomi Ollila wrote:
> On Tue, Sep 02 2014, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>
>> On 08/30/2014 03:37 AM, Jani Nikula wrote:
>>> I'm inclined to think this is a bug in message-mode. 
>>
>> I agree it's a bug in message-mode, not in notmuch itself.
>
> I think it might be here:
>
> http://bzr.savannah.gnu.org/lh/emacs/emacs-24/annotate/head:/lisp/gnus/mml.el#L258
>
> (it takes time to load, please wait...)
>
> If cond does not match, then don't fail...

This looks to have been fixed in emacs at the end of September 2014.

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[David Bremner]

David Edmondson <dme@dme.org> writes:

> On Tue, Sep 02 2014, Tomi Ollila wrote:
>> On Tue, Sep 02 2014, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>
>>> On 08/30/2014 03:37 AM, Jani Nikula wrote:
>>>> I'm inclined to think this is a bug in message-mode. 
>>>
>>> I agree it's a bug in message-mode, not in notmuch itself.
>>
>> I think it might be here:
>>
>> http://bzr.savannah.gnu.org/lh/emacs/emacs-24/annotate/head:/lisp/gnus/mml.el#L258
>>
>> (it takes time to load, please wait...)
>>
>> If cond does not match, then don't fail...
>
> This looks to have been fixed in emacs at the end of September 2014.

Right, this fix was released in emacs 24.4

I'm a little torn what to do here. On the one hand the upstream change
fixes the bug as reported. On the other hand, if something corrupts the
#secure tag (e.g., by deleting a letter), then the message is still sent
un-uncrypted.

d

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[David Edmondson]

On Sat, Nov 29 2014, David Bremner wrote:
> David Edmondson <dme@dme.org> writes:
>
>> On Tue, Sep 02 2014, Tomi Ollila wrote:
>>> On Tue, Sep 02 2014, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>>
>>>> On 08/30/2014 03:37 AM, Jani Nikula wrote:
>>>>> I'm inclined to think this is a bug in message-mode. 
>>>>
>>>> I agree it's a bug in message-mode, not in notmuch itself.
>>>
>>> I think it might be here:
>>>
>>> http://bzr.savannah.gnu.org/lh/emacs/emacs-24/annotate/head:/lisp/gnus/mml.el#L258
>>>
>>> (it takes time to load, please wait...)
>>>
>>> If cond does not match, then don't fail...
>>
>> This looks to have been fixed in emacs at the end of September 2014.
>
> Right, this fix was released in emacs 24.4
>
> I'm a little torn what to do here. On the one hand the upstream change
> fixes the bug as reported. On the other hand, if something corrupts the
> #secure tag (e.g., by deleting a letter), then the message is still sent
> un-uncrypted.

I'm unclear on what you mean. Is it that "upgrade to 24.4" is not a good
enough answer, because we are still leaving pre-24.4 people out in the
cold?

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[David Bremner]

David Edmondson <dme@dme.org> writes:

>> I'm a little torn what to do here. On the one hand the upstream change
>> fixes the bug as reported. On the other hand, if something corrupts the
>> #secure tag (e.g., by deleting a letter), then the message is still sent
>> un-uncrypted.
>
> I'm unclear on what you mean. Is it that "upgrade to 24.4" is not a good
> enough answer, because we are still leaving pre-24.4 people out in the
> cold?

No, I mean the fix is rather narrow in that editing somewhere else on
the same line causes the same problem as before, even in 24.4

d

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[David Edmondson]

On Mon, Dec 01 2014, David Bremner wrote:
> David Edmondson <dme@dme.org> writes:
>
>>> I'm a little torn what to do here. On the one hand the upstream change
>>> fixes the bug as reported. On the other hand, if something corrupts the
>>> #secure tag (e.g., by deleting a letter), then the message is still sent
>>> un-uncrypted.
>>
>> I'm unclear on what you mean. Is it that "upgrade to 24.4" is not a good
>> enough answer, because we are still leaving pre-24.4 people out in the
>> cold?
>
> No, I mean the fix is rather narrow in that editing somewhere else on
> the same line causes the same problem as before, even in 24.4

Ah, okay. Well, off to emacs-devel with you, then :-D

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[David Edmondson]

[Raking over history...]

On Sat, Nov 29 2014, David Bremner wrote:
> David Edmondson <dme@dme.org> writes:
>
>> On Tue, Sep 02 2014, Tomi Ollila wrote:
>>> On Tue, Sep 02 2014, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>>
>>>> On 08/30/2014 03:37 AM, Jani Nikula wrote:
>>>>> I'm inclined to think this is a bug in message-mode. 
>>>>
>>>> I agree it's a bug in message-mode, not in notmuch itself.
>>>
>>> I think it might be here:
>>>
>>> http://bzr.savannah.gnu.org/lh/emacs/emacs-24/annotate/head:/lisp/gnus/mml.el#L258
>>>
>>> (it takes time to load, please wait...)
>>>
>>> If cond does not match, then don't fail...
>>
>> This looks to have been fixed in emacs at the end of September 2014.
>
> Right, this fix was released in emacs 24.4
>
> I'm a little torn what to do here. On the one hand the upstream change
> fixes the bug as reported. On the other hand, if something corrupts the
> #secure tag (e.g., by deleting a letter), then the message is still sent
> un-uncrypted.

That's true, but it's undoubtedly an upstream bug rather than a
notmuch-emacs bug.

If we apply some heuristic workaround in notmuch, users of gnus (and
mu4e?) will still be vulnerable to the same problem. The right thing to
do is report (and fix) the bug upstream.

Re: [Vagrant Cascadian] Bug#759646: notmuch-emacs: switching mode= to invalid value sends unencrypted mail

[David Bremner]

David Bremner <david@tethera.net> writes:
>
> i.e. #secure method=pgpmime mode=signinvalidencrypt will end up
> sending an encrypted message (with the <>, of course).
>
> It seems like it should error out if the mode= is set to an invalid or
> unknown value, rather than sending mail in the clear.
>
> I've got this set up in ~/.emacs, not sure what all else might be coming
> into play:
>
>  '(message-setup-hook (quote (mml-secure-message-sign)))
>  '(notmuch-crypto-process-mime t)
>

This bug is marked fixed in emacs, so I guess we can mark it fixed in
nmbug as well. For a more detailed discussion see
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18513

d