"Sylpheed 2.2.7 and earlier does not properly use the --status-fd argument when
invoking GnuPG, which prevents Sylpheed from visually distinguishing between
signed and unsigned portions of OpenPGP messages with multiple components, which
allows remote attackers to forge the contents of a message without detection."
This issue is reported against a suspiciously old version of Sylpheed; bug filed
for verification whether current versions in FE5+ are affected.
Sylpheed uses GPGME, and GPGME 1.1.4 in FE6+ fixes the vulnerability:
FE5 includes a patched version of GPGME 1.1.2