Date: Thu, 16 Jul 2015 18:34:11 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: kmail: Attachments are not encrypted when "automatic encryption" is selected -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It was reported a while ago to the KDE Bugtracking System, that > attachments are not encrypted when "automatic encryption" is selected. > > Upstream bugreport: https://bugs.kde.org/show_bug.cgi?id=340312 > Fix: http://quickgit.kde.org/?p=kdepim.git&a=commit&h=626c857eb30c0533a4de7836ee843caaa8c00a26 > Debian Bug: https://bugs.debian.org/791800 Use CVE-2014-8878. Other comments (probably irrelevant): This general type of issue has been included in CVE before: see CVE-2014-5369. We feel that it is conceivable that this kmail behavior had been intentional. Encrypting attachments to arbitrary recipients, simply because a PGP key is known, has a usability problem. Some mail systems automatically and silently remove attachments that can't be scanned for malware (e.g., when the pre-encryption content type of the attachment is one that can have malware). This has, in some sense, a risk of "data corruption" because the meaning of a message can be vastly different if the attachment doesn't arrive. If the sender explicitly selects the "encrypt message" option, then that's a very strong signal that encryption is required, and kmail did encrypt attachments in that case. The "automatic encryption" implementation might have made a different tradeoff between security and usability. But, probably not. We decided to assign a CVE ID anyway because the commit refers to the change as a bug fix, because there was apparently no documentation of an intentional tradeoff, and because we're unaware of any widespread acceptance of a need to avoid encrypted attachments in some cases. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVqDDjAAoJEKllVAevmvmsgzsH/iMc5jgnkEvcCUgwObvTm7eP 2NQS+e7XW/SW15wGSU0erqJIDH0T1rrB1X9iHARuaEHGu3ck1Rth2tu+BhofopCr eCmmNY+6fWYDGxFpKq+RsCOtzA0+2BaiKbXsANZBz9kTr3ZJuCkEf+5RHMtBeulH KlaOG7eODpatUSwMDTjlRmBsN2JLsQfJtxViHWGeBapAU/MSVzsfbC0QIJ7Srinu lk21yICJGj0wL4+EqLympWbn+r/m4XPcDqoEh/giJLKG4Q+fxulJPLG9Ze9wMF42 /0NTs0pRsaQtTwhiKMmi5hl6QxBHhAhD8hZZNeJC7LaddrWA/iIi2ouvVcDcRw0= =/PrR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ