Date: Thu, 25 Jul 2013 02:46:52 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Yves-Alexis Perez <corsac@...ian.org> Subject: Re: CVE Request: evolution mail client GPG key selection issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/21/2013 02:02 PM, Yves-Alexis Perez wrote: > Hi, > > an issue with security impact was recently fixed in Evolution. > More details can be found on the Red Hat bug report at > https://bugzilla.redhat.com/show_bug.cgi?id=973728 but it > basically boils down to a wrong selection when choosing the the > keyid for a destination email address. > > Basically, when you have multiple keys in the keyrings, with > overlapping email addresses (like foo@...mple.com and > foobar@...mple.com), you can end up (silently) encrypting to the > wrong recipient. > > It actually happened to me when forwarding embargoed security > issues so it can happen in real life. Now the wrong recipient would > need to actually obtain a copy of the sent mail (since it's sent to > the correct recipient, not the wrong one), but I still think it > warrants a CVE. > > Quick fix was to use the documented format for email searches in > GnuPG (using <> around email addresses) but a more complete fix for > explicit key selection should appear some time in the future. > > Regards, Yeah this was discussed internally a bit at Red Hat after you filed the bug, it's a messy problem. I think one concern was where do you want to place policy decisions for key usage and trust, in GPG, in the app using it, or something else? One concern I have is I sometimes used to (not any more!) download all the signing keys for keys I was using to see if I could establish a web of trust. Of course anyone can sign someone elses key and upload that to the public key servers, so then the potential for grabbing a key from a bad guy increases significantly. Any ways for evolutions please use CVE-2013-4166 for this issue. Has anyone checked other popular mail clients like thunderbird/mutt/etc? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR8OX7AAoJEBYNRVNeJnmT+hQQAMh1vNoTyxu/d5sQidn571z1 2ZGVu07Z+1tFNgHlH1cLNIfw7bnPTy4SydyGFnXdHw4XSFwp52glS0FYYyhyLhwv tsFP0QSQc6jBpcETM9voHTdELHbAGySoY5TZV8gXeLoiboJ+dhCCmJhmCVxlQqgr Q+ae+bR4UcNNZ3TLKIaJbKm+TJdULiGar1iHMXiIYpR+66uekrcCM3uL3yjhgnwk 7+zp8haLv8d2mOUGAkFfsg2Jku/bLnCj4/vRK10EV61pwzkW2/C2lBUhCKpGAEMQ 6o6UkulgZaIP0kRtdNk+tYZAFbzhqiRxyDlXCxmJwRu+p0nJ1OY8Bf3i3oPGeVHq NpMwRbpDAyzYPZTVgvQfdr+GTOaikwbdH37zI8tUk5MXnXSMwDmvOt4nmziCtzK0 rU+DA6p1BQGgDMSc5LNFAp26H70SdIUo1CssoWhTC06Z2nk8LebPfgwCQ6weoyoR InNhmXiCCEwfpOuOEXJ4gWDEL9CxaM1dUpa66QyICFhgLtz7ySJCYMXKAgqhzkk2 vEWEMmAkwMmW9SZaoW3ddhHL8UI1/KB25MhC5icRT89L7ZGr9fGqvLKVsVQWTV1L s68r9o2ChxcMpU/hLul2nHvB36hlBrfLoFZYEl9aTY+p9oOQKrcpffLlOJGJS1eq Lap0JhAntso2FN2hciB8 =UVD4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.