http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1267 "Sylpheed 2.2.7 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Sylpheed from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection." This issue is reported against a suspiciously old version of Sylpheed; bug filed for verification whether current versions in FE5+ are affected.
Sylpheed uses GPGME, and GPGME 1.1.4 in FE6+ fixes the vulnerability: http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html FE5 includes a patched version of GPGME 1.1.2 (gpgme-1.1.3-multiple-message.patch).