Project

General

Profile

Bug #16738

Enigmail vulnerable to signature spoofing (again): CVE-2019-12269

Added by segfault 5 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
bugfix/16738-enigmail-signature-spoofing
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Email Client

Description

Enigmail 2.0.11 was released today which fixes another signature spoofing vulnerability:
https://www.enigmail.net/index.php/en/download/changelog#enig2.0.11
https://sourceforge.net/p/enigmail/bugs/983/


Related issues

Related to Tails - Bug #16978: Install Enigmail from Buster Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

Associated revisions

Revision 88cd908e (diff)
Added by segfault 3 months ago

Install enigmail from Sid (refs: #16738)

The versions currently in Buster (and Stretch) are still vulnerable to
signature spoofing (CVE-2019-12269).

Revision fd7dc2d4 (diff)
Added by segfault 3 months ago

Install enigmail from Sid (refs: #16738)

The versions currently in Buster (and Stretch) are still vulnerable to
signature spoofing (CVE-2019-12269).

Revision 73ea0ddc (diff)
Added by segfault 3 months ago

Install enigmail from Sid (refs: #16738)

The versions currently in Buster (and Stretch) are still vulnerable to
signature spoofing (CVE-2019-12269).

Revision e812b16f (diff)
Added by segfault 2 months ago

Install enigmail from Bullseye (refs: #16738)

The versions currently in Buster (and Stretch) are still vulnerable to
signature spoofing (CVE-2019-12269).

Revision 820aa58c (diff)
Added by segfault 2 months ago

Enable the bullseye APT repository (refs: #16738)

We now pin packages to Bullseye, so we ahve to enable the repository.

Revision 931874d3
Added by intrigeri 2 months ago

Merge remote-tracking branch 'origin/bugfix/16738-enigmail-signature-spoofing' into devel (Closes: #16738)

History

#1 Updated by intrigeri 5 months ago

#2 Updated by intrigeri 5 months ago

  • Affected tool set to Email Client

#3 Updated by segfault 5 months ago

  • Description updated (diff)

2.0.11 is in sid now: https://tracker.debian.org/news/1040308/accepted-enigmail-22011ds1-1-source-into-unstable

And there is a CVE (CVE-2019-12269) but it's not tracked in the Debian security bug tracker, so it's not entirely clear to me whether the version we ship in 3.14 (2.0.8-5~deb9u1 from Stretch) is vulnerable, but I assume that it is (https://nvd.nist.gov/vuln/detail/CVE-2019-12269 says that versions before 2.0.11 are vulnerable).

There is no new version in Stretch.

#4 Updated by intrigeri 5 months ago

And there is a CVE (CVE-2019-12269) but it's not tracked in the Debian security bug tracker, so it's not entirely clear to me whether the version we ship in 3.14 (2.0.8-5~deb9u1 from Stretch) is vulnerable, but I assume that it is (https://nvd.nist.gov/vuln/detail/CVE-2019-12269 says that versions before 2.0.11 are vulnerable).

https://security-tracker.debian.org/tracker/CVE-2019-12269 says that 2:2.0.8-5~deb9u1 is vulnerable.

#5 Updated by intrigeri 4 months ago

  • Subject changed from Enigmail vulnerable to signature spoofing (again) to Enigmail vulnerable to signature spoofing (again): CVE-2019-12269

#6 Updated by intrigeri 4 months ago

  • Target version set to Tails_3.15

Let's try to fix this in 3.15. Currently the only realistic option seems to be to upgrade to the version that's in sid.

#7 Updated by segfault 4 months ago

intrigeri wrote:

Currently the only realistic option seems to be to upgrade to the version that's in sid.

The version in sid depends on a newer libc version. Not sure whether it's a good idea to upgrade that. Here is the full list of packages installed/upgraded when installing enigmail from sid on Tails 3.14:

amnesia@amnesia:~$ sudo apt install -t sid enigmail
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  dirmngr gnupg gnupg-agent gnupg-l10n gnupg-utils gpg gpg-agent
  gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv libassuan0 libc-bin
  libc-l10n libc6 libgcrypt20 libgnutls30 libhogweed4 libidn2-0 libnettle6
  libp11-kit0 libtasn1-6 libunistring2 locales-all nocache p11-kit-modules
  scdaemon
Suggested packages:
  parcimonie xloadimage glibc-doc locales gnutls-bin
The following NEW packages will be installed:
  gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf
  gpgsm libunistring2
The following packages will be upgraded:
  dirmngr enigmail gnupg gnupg-agent gpgv libassuan0 libc-bin libc-l10n libc6
  libgcrypt20 libgnutls30 libhogweed4 libidn2-0 libnettle6 libp11-kit0
  libtasn1-6 locales-all nocache p11-kit-modules scdaemon
20 upgraded, 9 newly installed, 0 to remove and 1300 not upgraded.
Need to get 27.9 MB of archives.
After this operation, 114 MB of additional disk space will be used.

#8 Updated by intrigeri 4 months ago

  • Target version changed from Tails_3.15 to Tails_4.0

segfault wrote:

intrigeri wrote:

Currently the only realistic option seems to be to upgrade to the version that's in sid.

The version in sid depends on a newer libc version.

Ouch, indeed it depends on gnupg (>= 2.2.8-2~). So I say let's not do extra work to handle this with higher priority than Debian does. If/when this is fixed in Stretch, great, it'll be fixed in Tails. In the meantime, we can fix this in feature/buster by installing the package from sid. But it would be nice to check with dkg why this is not fixed in Buster.

#9 Updated by segfault 3 months ago

  • Status changed from Confirmed to In Progress

#10 Updated by segfault 3 months ago

  • Feature Branch set to bugfix/16738-enigmail-signature-spoofing

intrigeri wrote:

So I say let's not do extra work to handle this with higher priority than Debian does. If/when this is fixed in Stretch, great, it'll be fixed in Tails. In the meantime, we can fix this in feature/buster by installing the package from sid.

Pushed a commit to the feature branch, waiting for Jenkins results.

But it would be nice to check with dkg why this is not fixed in Buster.

I agree. We could do this here, right?

#11 Updated by segfault 3 months ago

  • Assignee set to segfault

#12 Updated by intrigeri 3 months ago

But it would be nice to check with dkg why this is not fixed in Buster.

I agree. We could do this here, right?

We can try :)

#13 Updated by segfault 3 months ago

@dkg: Hi! Are there any plans to fix CVE-2019-12269 [1] in Buster?

[1] https://security-tracker.debian.org/tracker/CVE-2019-12269

#14 Updated by segfault 3 months ago

Ah, just took another look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929363 and saw the reference to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931126. There it looks like an updated enigmail version will be available either via Buster's security archive or in the first point release.

#15 Updated by segfault 3 months ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (segfault)

#16 Updated by intrigeri 3 months ago

  • Status changed from Needs Validation to In Progress
  • Assignee set to segfault

Ah, just took another look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929363 and saw the reference to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931126. There it looks like an updated enigmail version will be available either via Buster's security archive or in the first point release.

Since then, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931126#35 suggests 2.0.11 might not go into Buster 10.1 and more work is needed.
Still, this should not prevent us from fixing this in 4.0, somehow.

Regarding the proposed branch:

  • Now that Buster is out, I'd rather pin Bullseye (== testing) than sid, which feels less risky.
  • It would be nice to have a ticket to revert this at some point. I suggest target version = 3.17, shortly after the Buster 10.1 release.
  • Did you test Enigmail? I see you're reporting about automated test suite results, but they don't exercise Enigmail.

Feel free to merge yourself into feature/buster with these fixed, and then delete the topic branch so that Jenkins stops building it.

#17 Updated by segfault 2 months ago

  • Related to Bug #16978: Install Enigmail from Buster added

#18 Updated by segfault 2 months ago

  • Status changed from In Progress to Needs Validation
  • Assignee changed from segfault to intrigeri

intrigeri wrote:

  • Now that Buster is out, I'd rather pin Bullseye (== testing) than sid, which feels less risky.

I had to enable the Bullseye APT repo for that.

  • It would be nice to have a ticket to revert this at some point. I suggest target version = 3.17, shortly after the Buster 10.1 release.

Done, see #16978.

  • Did you test Enigmail? I see you're reporting about automated test suite results, but they don't exercise Enigmail.

I thought that we had Enigmail tests in the automated test suite. I now tested it manually.

Feel free to merge yourself into feature/buster with these fixed, and then delete the topic branch so that Jenkins stops building it.

I'll let you have one more look because I had to enable the Bullseye repo.

#19 Updated by intrigeri 2 months ago

  • Status changed from Needs Validation to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF