Debian Bug report logs -
#406604
CVE-2006-5877: Enigmail crashes on inline gpg
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#406604; Package mozilla-thunderbird-enigmail.
(full text, mbox, link).
Acknowledgement sent to Debian Bugreport Mailaddress <deb@gi2.herzkes.de>:
New Bug report received and forwarded. Copy sent to Alexander Sack <asac@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mozilla-thunderbird-enigmail
Version: 2:0.91-4sarge2
Severity: grave
Enigmail has had a serious bug for a long time, see
http://bugzilla.mozdev.org/show_bug.cgi?id=9730 for details.
An attacker can send properly crafted encrypted emails to the enigmail
user that will crash the receiver's instance of thunderbird.
Whether it is possible to inject code or to access the user's passphrase
using this aproach is unclear.
A patch fixing the issue appeared on the enigmail mailing list. The
latest enigmail release (from yesterday, version v0.94.2) fixes the issue).
I believe this bug justifies a security updates to sarge and etch.
Regards,
Tobias
Patrick Brunschwig's patch:
Index: enigmail.js
===================================================================
RCS file: /cvs/enigmail/src/package/enigmail.js,v
retrieving revision 1.190
diff -u -r1.190 enigmail.js
--- enigmail.js 8 Jul 2006 16:16:50 -0000 1.190
+++ enigmail.js 11 Jan 2007 10:33:04 -0000
@@ -883,9 +883,6 @@
DEBUG_LOG("enigmail.js: EnigmailProtocolHandler.newChannel:
messageURL="+messageUriObj.originalUrl+", "+contentType+",
"+contentCharset+"\n");
- if (!messageUriObj.persist)
- delete gEnigmailSvc._messageIdList[messageId];
-
} else {
contentType = "text/plain";
Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#406604; Package mozilla-thunderbird-enigmail.
(full text, mbox, link).
Acknowledgement sent to Alexander Sack - Debian Bugmail <asac@debian.org>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>.
(full text, mbox, link).
Message #10 received at 406604@bugs.debian.org (full text, mbox, reply):
Yes, I am aware of this issue ... however, I have not yet verified if
sarge version is affected. If so it should definitly get a security
update.
On Fri, Jan 12, 2007 at 10:59:32AM +0100, Debian Bugreport Mailaddress wrote:
> Package: mozilla-thunderbird-enigmail
> Version: 2:0.91-4sarge2
> Severity: grave
>
> Enigmail has had a serious bug for a long time, see
> http://bugzilla.mozdev.org/show_bug.cgi?id=9730 for details.
>
> An attacker can send properly crafted encrypted emails to the enigmail
> user that will crash the receiver's instance of thunderbird.
>
> Whether it is possible to inject code or to access the user's passphrase
> using this aproach is unclear.
>
> A patch fixing the issue appeared on the enigmail mailing list. The
> latest enigmail release (from yesterday, version v0.94.2) fixes the issue).
>
> I believe this bug justifies a security updates to sarge and etch.
>
> Regards,
> Tobias
>
> Patrick Brunschwig's patch:
>
> Index: enigmail.js
> ===================================================================
> RCS file: /cvs/enigmail/src/package/enigmail.js,v
> retrieving revision 1.190
> diff -u -r1.190 enigmail.js
> --- enigmail.js 8 Jul 2006 16:16:50 -0000 1.190
> +++ enigmail.js 11 Jan 2007 10:33:04 -0000
> @@ -883,9 +883,6 @@
>
> DEBUG_LOG("enigmail.js: EnigmailProtocolHandler.newChannel:
> messageURL="+messageUriObj.originalUrl+", "+contentType+",
> "+contentCharset+"\n");
>
> - if (!messageUriObj.persist)
> - delete gEnigmailSvc._messageIdList[messageId];
> -
> } else {
>
> contentType = "text/plain";
>
- Alexander
p.s. please take care that the bug is listed as To: or CC: when
replying to this mail (e.g. /reply-all/).
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
asac@debian.org | `. `' Operating System
http://www.asoftsite.org | `- http://www.debian.org/
Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#406604; Package mozilla-thunderbird-enigmail.
(full text, mbox, link).
Acknowledgement sent to Debian Bugreports Mailaddress <deb@gi2.herzkes.de>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>.
(full text, mbox, link).
Message #15 received at 406604@bugs.debian.org (full text, mbox, reply):
Alexander Sack - Debian Bugmail wrote:
> Yes, I am aware of this issue ... however, I have not yet verified if
> sarge version is affected. If so it should definitly get a security
> update.
I suppose your problem here is the lack of a sarge system. But if it is
lack of an encrypted email that crashes your thunderbird, then I can
provide an example if you want.
I am affected almost daily by this bug (on sarge systems).
Regards,
Tobias
Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#406604; Package mozilla-thunderbird-enigmail.
(full text, mbox, link).
Acknowledgement sent to Alexander Sack - Debian Bugmail <asac@debian.org>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>.
(full text, mbox, link).
Message #20 received at 406604@bugs.debian.org (full text, mbox, reply):
On Sun, Jan 14, 2007 at 11:26:26PM +0100, Debian Bugreports Mailaddress wrote:
> Alexander Sack - Debian Bugmail wrote:
> > Yes, I am aware of this issue ... however, I have not yet verified if
> > sarge version is affected. If so it should definitly get a security
> > update.
>
> I suppose your problem here is the lack of a sarge system. But if it is
> lack of an encrypted email that crashes your thunderbird, then I can
> provide an example if you want.
Probably a lack of time I guess.
>
> I am affected almost daily by this bug (on sarge systems).
Yes ... I will take a look and provide an updated package asap.
- Alexander
p.s. please take care that the bug is listed as To: or CC: when
replying to this mail (e.g. /reply-all/).
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
asac@debian.org | `. `' Operating System
http://www.asoftsite.org | `- http://www.debian.org/
Reply sent to Alexander Sack <asac@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Debian Bugreport Mailaddress <deb@gi2.herzkes.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #27 received at 406604-close@bugs.debian.org (full text, mbox, reply):
Source: enigmail
Source-Version: 2:0.94.2-1
We believe that the bug you reported is fixed in the latest version of
enigmail, which is due to be installed in the Debian FTP archive:
enigmail_0.94.2-1.diff.gz
to pool/main/e/enigmail/enigmail_0.94.2-1.diff.gz
enigmail_0.94.2-1.dsc
to pool/main/e/enigmail/enigmail_0.94.2-1.dsc
enigmail_0.94.2-1_i386.deb
to pool/main/e/enigmail/enigmail_0.94.2-1_i386.deb
enigmail_0.94.2.orig.tar.gz
to pool/main/e/enigmail/enigmail_0.94.2.orig.tar.gz
mozilla-thunderbird-enigmail_0.94.2-1_all.deb
to pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94.2-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 406604@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Sack <asac@debian.org> (supplier of updated enigmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 21 Jan 2006 20:00:00 +0100
Source: enigmail
Binary: enigmail mozilla-thunderbird-enigmail
Architecture: source i386 all
Version: 2:0.94.2-1
Distribution: unstable
Urgency: high
Maintainer: Alexander Sack <asac@debian.org>
Changed-By: Alexander Sack <asac@debian.org>
Description:
enigmail - GnuPG support for Icedove
mozilla-thunderbird-enigmail - Transition package for enigmail rename
Closes: 406604
Changes:
enigmail (2:0.94.2-1) unstable; urgency=high
.
* new upstream version fixes potential security issue (Closes: 406604)
Files:
8f74d25170cde1fd547c9a5b882e26c4 1353 mail optional enigmail_0.94.2-1.dsc
13f6598dc5ab3dba8f6d72919e9c647c 1067454 mail optional enigmail_0.94.2.orig.tar.gz
182c59aa207541ed7acce9b0080338a2 18268 mail optional enigmail_0.94.2-1.diff.gz
fe948e765eb7fe48bb64dfe883fc44d5 323332 mail optional enigmail_0.94.2-1_i386.deb
d09256384d97c3c4f5ac4a5e2be91b58 12542 mail optional mozilla-thunderbird-enigmail_0.94.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQIVAwUBRbOuSqBE/gcUDGZkAQJOKw/+KgOt2usNVLGcY1kc6KlwKnYf4zKq7R4h
jMVDnZCj9w4psDmzicdfV23WUe5XADIjtvQNqUklX2Gwhx4q/HLf2NOpeWvhfwpH
UQyXwQf/bAVFX7iQLNdFt3pWavw6Yi+y2fF6tFUa/TDbGP3ClzVxlAkHaIaBy8Ba
823p9LI70NoDIiUeSbTw8HR/znruA98MOur551MUlk3PrrKjAVXiN7WqN7SxCZoP
xsp6FDgITjf9I8d2NzRXspiaT4MKFIzCAbE6SG3LMiRDkAWBDoSEx6Tzc8a4UcGc
bo48xk0MGhkyLrXRqAE/6JA4EiQVjtSOPGVDiWoeROartTdqCR0PIebt2+z97hvA
v9SIIbMB8bZREJA52a/O7VpuZ32IhmjP/RpuIRaO45PzXUxHpCEo+bIWrje32wzL
gishObIfrb236Q9RqZcfoIhvgdd3cLFpd8sedvftW75mo0I4m0KhdGn9YsnxVDSF
Ve7AuF8SeaTzFkCQJVsXSvzYxbQLggGdZLx4jtjEsawYVWquC8/bwls3QpzcPX7W
bwJfY3NrJjLMZUQQkpQsw3v7JYY6WTb18X8P1iTFBmu1nn8vqXnpjV7v+FBcpyES
V+lqp71K/Us5YZj8Y+bF+EjJo5ZRUY0L+2vltUeczlXhXDASwDMFpxcw4DyZEb3C
VuE1cY3BQ28=
=RnO9
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#406604; Package mozilla-thunderbird-enigmail,enigmail.
(full text, mbox, link).
Acknowledgement sent to Alexander Sack - Debian Bugmail <asac@debian.org>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>.
(full text, mbox, link).
Message #32 received at 406604@bugs.debian.org (full text, mbox, reply):
retitle 406604 CVE-2006-5877: Enigmail crashes on inline gpg
thanks
this is CVE-2006-5877
On Fri, Jan 12, 2007 at 10:59:32AM +0100, Debian Bugreport Mailaddress wrote:
> Package: mozilla-thunderbird-enigmail
> Version: 2:0.91-4sarge2
> Severity: grave
>
> Enigmail has had a serious bug for a long time, see
> http://bugzilla.mozdev.org/show_bug.cgi?id=9730 for details.
- Alexander
p.s. please take care that the bug is listed as To: or CC: when
replying to this mail (e.g. /reply-all/).
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
asac@debian.org | `. `' Operating System
http://www.asoftsite.org | `- http://www.debian.org/
Changed Bug title.
Request was from Alexander Sack - Debian Bugmail <asac@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Jun 2007 11:18:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:31:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon