From: Jeffrey I. Schiller <jis@mit.edu>
Date: Sun, 10 Jul 94 19:47:45 PDT
To: cypherpunks@toad.com
Subject: Bug in PGP2.6 when editing your key
Message-ID: <9407110247.AA28940@big-screw>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

We have found an important bug in PGP 2.6 (and 2.5).

Problem:

If you store  your pass phrase   in the PGPPASS environment  variable or
supply it via the PGPPASSFD hack and you edit your key (pgp -ke) you may
lose.

Specifically if you edit your key and do *not*  change your pass phrase,
then it gets clobbered and you lose access to your private key.

What to do if this happens to you:

You will know that this has happened because you  will edit your key and
then not be  able to use  your  private key.  *IMMEDIATELY* restore your
secring.pgp and    pubring.pgp   from the   ".bak"  versions  that   PGP
automatically creates. This will put things back the way they were.


Work Around:

You can avoid this problem when editing your key by doing one of the two
things below.

1) Remove the PGPPASS environment variable (or don't use PGPPASSFD) when
editing  your key. You   will then have   to manually type in your  pass
phrase when editing your key, but the pass phrase will not get clobbered
this way.

2) If you still use the PGPPASS environment  variable, then when the key
editing process asks you  if you wish to  change your pass phrase answer
"y" (i.e., tell it  that you wish to   change your pass phrase)  it will
then prompt you twice for your new pass phrase. Note: You  can set it to
what it was, effectively not really  changing it. PGP  will not know the
difference and your pass phrase will not get clobbered.

Status:

This problem has   a known fix and  it   will be  included in  the  next
release.

                                -Jeff

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQBVAgUBLiCWkVUFZvpNDE7hAQF/GQIAoWi86mx1TylR5CUWInJrYy/L5kNB0qqB
Uo/gA+u4M7YYeFEVF+voeBBRW686j2ksWaMA3ERTN8o6HWc5hrcf+A==
=fXWk
-----END PGP SIGNATURE-----