Date: Thu, 16 Jul 2015 18:34:11 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: kmail: Attachments are not encrypted when "automatic encryption" is selected -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It was reported a while ago to the KDE Bugtracking System, that > attachments are not encrypted when "automatic encryption" is selected. > > Upstream bugreport: https://bugs.kde.org/show_bug.cgi?id=340312 > Fix: http://quickgit.kde.org/?p=kdepim.git&a=commit&h=626c857eb30c0533a4de7836ee843caaa8c00a26 > Debian Bug: https://bugs.debian.org/791800 Use CVE-2014-8878. Other comments (probably irrelevant): This general type of issue has been included in CVE before: see CVE-2014-5369. We feel that it is conceivable that this kmail behavior had been intentional. Encrypting attachments to arbitrary recipients, simply because a PGP key is known, has a usability problem. Some mail systems automatically and silently remove attachments that can't be scanned for malware (e.g., when the pre-encryption content type of the attachment is one that can have malware). This has, in some sense, a risk of "data corruption" because the meaning of a message can be vastly different if the attachment doesn't arrive. If the sender explicitly selects the "encrypt message" option, then that's a very strong signal that encryption is required, and kmail did encrypt attachments in that case. The "automatic encryption" implementation might have made a different tradeoff between security and usability. But, probably not. We decided to assign a CVE ID anyway because the commit refers to the change as a bug fix, because there was apparently no documentation of an intentional tradeoff, and because we're unaware of any widespread acceptance of a need to avoid encrypted attachments in some cases. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVqDDjAAoJEKllVAevmvmsgzsH/iMc5jgnkEvcCUgwObvTm7eP 2NQS+e7XW/SW15wGSU0erqJIDH0T1rrB1X9iHARuaEHGu3ck1Rth2tu+BhofopCr eCmmNY+6fWYDGxFpKq+RsCOtzA0+2BaiKbXsANZBz9kTr3ZJuCkEf+5RHMtBeulH KlaOG7eODpatUSwMDTjlRmBsN2JLsQfJtxViHWGeBapAU/MSVzsfbC0QIJ7Srinu lk21yICJGj0wL4+EqLympWbn+r/m4XPcDqoEh/giJLKG4Q+fxulJPLG9Ze9wMF42 /0NTs0pRsaQtTwhiKMmi5hl6QxBHhAhD8hZZNeJC7LaddrWA/iIi2ouvVcDcRw0= =/PrR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.