Date: Thu, 25 Jul 2013 02:46:52 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Yves-Alexis Perez <corsac@...ian.org> Subject: Re: CVE Request: evolution mail client GPG key selection issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/21/2013 02:02 PM, Yves-Alexis Perez wrote: > Hi, > > an issue with security impact was recently fixed in Evolution. > More details can be found on the Red Hat bug report at > https://bugzilla.redhat.com/show_bug.cgi?id=973728 but it > basically boils down to a wrong selection when choosing the the > keyid for a destination email address. > > Basically, when you have multiple keys in the keyrings, with > overlapping email addresses (like foo@...mple.com and > foobar@...mple.com), you can end up (silently) encrypting to the > wrong recipient. > > It actually happened to me when forwarding embargoed security > issues so it can happen in real life. Now the wrong recipient would > need to actually obtain a copy of the sent mail (since it's sent to > the correct recipient, not the wrong one), but I still think it > warrants a CVE. > > Quick fix was to use the documented format for email searches in > GnuPG (using <> around email addresses) but a more complete fix for > explicit key selection should appear some time in the future. > > Regards, Yeah this was discussed internally a bit at Red Hat after you filed the bug, it's a messy problem. I think one concern was where do you want to place policy decisions for key usage and trust, in GPG, in the app using it, or something else? One concern I have is I sometimes used to (not any more!) download all the signing keys for keys I was using to see if I could establish a web of trust. Of course anyone can sign someone elses key and upload that to the public key servers, so then the potential for grabbing a key from a bad guy increases significantly. Any ways for evolutions please use CVE-2013-4166 for this issue. Has anyone checked other popular mail clients like thunderbird/mutt/etc? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR8OX7AAoJEBYNRVNeJnmT+hQQAMh1vNoTyxu/d5sQidn571z1 2ZGVu07Z+1tFNgHlH1cLNIfw7bnPTy4SydyGFnXdHw4XSFwp52glS0FYYyhyLhwv tsFP0QSQc6jBpcETM9voHTdELHbAGySoY5TZV8gXeLoiboJ+dhCCmJhmCVxlQqgr Q+ae+bR4UcNNZ3TLKIaJbKm+TJdULiGar1iHMXiIYpR+66uekrcCM3uL3yjhgnwk 7+zp8haLv8d2mOUGAkFfsg2Jku/bLnCj4/vRK10EV61pwzkW2/C2lBUhCKpGAEMQ 6o6UkulgZaIP0kRtdNk+tYZAFbzhqiRxyDlXCxmJwRu+p0nJ1OY8Bf3i3oPGeVHq NpMwRbpDAyzYPZTVgvQfdr+GTOaikwbdH37zI8tUk5MXnXSMwDmvOt4nmziCtzK0 rU+DA6p1BQGgDMSc5LNFAp26H70SdIUo1CssoWhTC06Z2nk8LebPfgwCQ6weoyoR InNhmXiCCEwfpOuOEXJ4gWDEL9CxaM1dUpa66QyICFhgLtz7ySJCYMXKAgqhzkk2 vEWEMmAkwMmW9SZaoW3ddhHL8UI1/KB25MhC5icRT89L7ZGr9fGqvLKVsVQWTV1L s68r9o2ChxcMpU/hLul2nHvB36hlBrfLoFZYEl9aTY+p9oOQKrcpffLlOJGJS1eq Lap0JhAntso2FN2hciB8 =UVD4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.