Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2007-1264

Source

Debian Bug report logs - #415225
security issue in enigmail package <0.94.3 (CVE-2007-1264)

Package: enigmail; Maintainer for enigmail is Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>; Source for enigmail is src:enigmail (PTS, buildd, popcon).

Reported by: Daniel Schröter <d.schroeter@gmx.de>

Date: Sat, 17 Mar 2007 09:27:06 UTC

Severity: important

Tags: security

Found in version enigmail/2:0.94.2-1

Done: Rolf Leggewie <debian-bugs@rolf.leggewie.biz>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#415225; Package enigmail. (full text, mbox, link).

Acknowledgement sent to Daniel Schröter <d.schroeter@gmx.de>:
New Bug report received and forwarded. Copy sent to Alexander Sack <asac@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: enigmail
Version: 2:0.94.2-1
Severity: important
Tags: security

From
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1264
"Enigmail 0.94.2 and earlier does not properly use the --status-fd
argument when invoking GnuPG, which prevents Enigmail from visually
distinguishing between signed and unsigned portions of OpenPGP messages
with multiple components, which allows remote attackers to forge the
contents of a message without detection."

In Debian this problem just occurs if the patch for gnupg is not
installed. That's why I tagged it as "important" and not "critical".

Can you please update enigmail to version 0.94.3 (or backport the patch).

Thanks!

Bye

	Daniel


- --
=========================================================
(gnu)PGP signierter Key vom heise c't Magazin verfügbar.
http://www.heise.de/security/dienste/pgp/
=========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (GNU/Linux)

iD8DBQFF+7P3F7lQkYolXTIRAkZEAKDHm0aZy4MuS+dc0ddIppc+GqGvUgCgwXXQ
4f8/DvFZl1WeWod9jR1qPms=
=fIbu
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#415225; Package enigmail. (full text, mbox, link).

Acknowledgement sent to Alexander Sack <asac@jwsdot.com>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (full text, mbox, link).

Message #10 received at 415225@bugs.debian.org (full text, mbox, reply):

On Sat, Mar 17, 2007 at 10:25:11AM +0100, Daniel Schröter wrote:
> From
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1264
> "Enigmail 0.94.2 and earlier does not properly use the --status-fd
> argument when invoking GnuPG, which prevents Enigmail from visually
> distinguishing between signed and unsigned portions of OpenPGP messages
> with multiple components, which allows remote attackers to forge the
> contents of a message without detection."
> 
> In Debian this problem just occurs if the patch for gnupg is not
> installed. That's why I tagged it as "important" and not "critical".
> 
> Can you please update enigmail to version 0.94.3 (or backport the patch).

The gnupg update fixed the security issue. Everything else is just
improved visualization.

 - Alexander

Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#415225; Package enigmail. (full text, mbox, link).

Acknowledgement sent to Daniel Schröter <d.schroeter@gmx.de>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (full text, mbox, link).

Message #15 received at 415225@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander Sack wrote:
>> In Debian this problem just occurs if the patch for gnupg is not
>> installed. That's why I tagged it as "important" and not "critical".
> 
> The gnupg update fixed the security issue. Everything else is just
> improved visualization.

Yes I know that, but like I wrote maybe someone has not installed the
update for gnupg. On the other hand: Why should he then install the
update for enigmail? :-o

Bye
	Daniel


- --
=========================================================
(gnu)PGP signierter Key vom heise c't Magazin verfügbar.
http://www.heise.de/security/dienste/pgp/
=========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (GNU/Linux)

iD8DBQFF/Hw2F7lQkYolXTIRAiHPAKCxUN9nRh+4xptBdhHTwPaDshCiFACffOBC
B4HTu/YNYbd5NPohhLXqiHI=
=2+wO
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#415225; Package enigmail. (full text, mbox, link).

Acknowledgement sent to Alexander Sack <asac@jwsdot.com>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. (full text, mbox, link).

Message #20 received at 415225@bugs.debian.org (full text, mbox, reply):

On Sun, Mar 18, 2007 at 12:39:34AM +0100, Daniel Schröter wrote:
> Alexander Sack wrote:
> >> In Debian this problem just occurs if the patch for gnupg is not
> >> installed. That's why I tagged it as "important" and not "critical".
> > 
> > The gnupg update fixed the security issue. Everything else is just
> > improved visualization.
> 
> Yes I know that, but like I wrote maybe someone has not installed the
> update for gnupg. On the other hand: Why should he then install the
> update for enigmail? :-o

Exactly :-P

 - Alexander

Reply sent to Rolf Leggewie <debian-bugs@rolf.leggewie.biz>:
You have taken responsibility. (Wed, 02 Sep 2015 08:39:07 GMT) (full text, mbox, link).

Notification sent to Daniel Schröter <d.schroeter@gmx.de>:
Bug acknowledged by developer. (Wed, 02 Sep 2015 08:39:07 GMT) (full text, mbox, link).

Message #25 received at 415225-done@bugs.debian.org (full text, mbox, reply):

oldest maintained version in Debian is 1.0.1-5 in unstable

closing

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 01 Oct 2015 07:30:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:06:36 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

security issue in enigmail package <0.94.3 (CVE-2007-1264)

Debian Bug report logs - #415225
security issue in enigmail package <0.94.3 (CVE-2007-1264)

Vulmon Search

About

Products

Connect

security issue in enigmail package <0.94.3 (CVE-2007-1264)

Debian Bug report logs - #415225 security issue in enigmail package <0.94.3 (CVE-2007-1264)

Vulmon Search

About

Products

Connect

Debian Bug report logs - #415225
security issue in enigmail package <0.94.3 (CVE-2007-1264)