Debian Bug report logs -
#415225
security issue in enigmail package <0.94.3 (CVE-2007-1264)
Reported by: Daniel Schröter <d.schroeter@gmx.de>
Date: Sat, 17 Mar 2007 09:27:06 UTC
Severity: important
Tags: security
Found in version enigmail/2:0.94.2-1
Done: Rolf Leggewie <debian-bugs@rolf.leggewie.biz>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>
:
Bug#415225
; Package enigmail
.
(full text, mbox, link).
Acknowledgement sent to Daniel Schröter <d.schroeter@gmx.de>
:
New Bug report received and forwarded. Copy sent to Alexander Sack <asac@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: enigmail
Version: 2:0.94.2-1
Severity: important
Tags: security
From
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1264
"Enigmail 0.94.2 and earlier does not properly use the --status-fd
argument when invoking GnuPG, which prevents Enigmail from visually
distinguishing between signed and unsigned portions of OpenPGP messages
with multiple components, which allows remote attackers to forge the
contents of a message without detection."
In Debian this problem just occurs if the patch for gnupg is not
installed. That's why I tagged it as "important" and not "critical".
Can you please update enigmail to version 0.94.3 (or backport the patch).
Thanks!
Bye
Daniel
- --
=========================================================
(gnu)PGP signierter Key vom heise c't Magazin verfügbar.
http://www.heise.de/security/dienste/pgp/
=========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (GNU/Linux)
iD8DBQFF+7P3F7lQkYolXTIRAkZEAKDHm0aZy4MuS+dc0ddIppc+GqGvUgCgwXXQ
4f8/DvFZl1WeWod9jR1qPms=
=fIbu
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>
:
Bug#415225
; Package enigmail
.
(full text, mbox, link).
Acknowledgement sent to Alexander Sack <asac@jwsdot.com>
:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>
.
(full text, mbox, link).
Message #10 received at 415225@bugs.debian.org (full text, mbox, reply):
On Sat, Mar 17, 2007 at 10:25:11AM +0100, Daniel Schröter wrote:
> From
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1264
> "Enigmail 0.94.2 and earlier does not properly use the --status-fd
> argument when invoking GnuPG, which prevents Enigmail from visually
> distinguishing between signed and unsigned portions of OpenPGP messages
> with multiple components, which allows remote attackers to forge the
> contents of a message without detection."
>
> In Debian this problem just occurs if the patch for gnupg is not
> installed. That's why I tagged it as "important" and not "critical".
>
> Can you please update enigmail to version 0.94.3 (or backport the patch).
The gnupg update fixed the security issue. Everything else is just
improved visualization.
- Alexander
Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>
:
Bug#415225
; Package enigmail
.
(full text, mbox, link).
Acknowledgement sent to Daniel Schröter <d.schroeter@gmx.de>
:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>
.
(full text, mbox, link).
Message #15 received at 415225@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alexander Sack wrote:
>> In Debian this problem just occurs if the patch for gnupg is not
>> installed. That's why I tagged it as "important" and not "critical".
>
> The gnupg update fixed the security issue. Everything else is just
> improved visualization.
Yes I know that, but like I wrote maybe someone has not installed the
update for gnupg. On the other hand: Why should he then install the
update for enigmail? :-o
Bye
Daniel
- --
=========================================================
(gnu)PGP signierter Key vom heise c't Magazin verfügbar.
http://www.heise.de/security/dienste/pgp/
=========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (GNU/Linux)
iD8DBQFF/Hw2F7lQkYolXTIRAiHPAKCxUN9nRh+4xptBdhHTwPaDshCiFACffOBC
B4HTu/YNYbd5NPohhLXqiHI=
=2+wO
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>
:
Bug#415225
; Package enigmail
.
(full text, mbox, link).
Acknowledgement sent to Alexander Sack <asac@jwsdot.com>
:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>
.
(full text, mbox, link).
Message #20 received at 415225@bugs.debian.org (full text, mbox, reply):
On Sun, Mar 18, 2007 at 12:39:34AM +0100, Daniel Schröter wrote:
> Alexander Sack wrote:
> >> In Debian this problem just occurs if the patch for gnupg is not
> >> installed. That's why I tagged it as "important" and not "critical".
> >
> > The gnupg update fixed the security issue. Everything else is just
> > improved visualization.
>
> Yes I know that, but like I wrote maybe someone has not installed the
> update for gnupg. On the other hand: Why should he then install the
> update for enigmail? :-o
Exactly :-P
- Alexander
Reply sent
to Rolf Leggewie <debian-bugs@rolf.leggewie.biz>
:
You have taken responsibility.
(Wed, 02 Sep 2015 08:39:07 GMT) (full text, mbox, link).
Notification sent
to Daniel Schröter <d.schroeter@gmx.de>
:
Bug acknowledged by developer.
(Wed, 02 Sep 2015 08:39:07 GMT) (full text, mbox, link).
Message #25 received at 415225-done@bugs.debian.org (full text, mbox, reply):
oldest maintained version in Debian is 1.0.1-5 in unstable
closing
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 01 Oct 2015 07:30:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:06:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.