Bug#898633: evolution-data-server: efail attack against S/MIME

Yves-Alexis Perez corsac at debian.org
Mon May 14 14:28:34 BST 2018 

Package: evolution-data-server
Version: 3.28.2-1
Severity: grave
Tags: security
Justification: user security hole

Hi,

as you are certainly aware, a paper describing a vulnerability called
efail has been published today (https://efail.de). It describes an
attack scenario which can enable an attacker with read/write access to
the encrypted mails to retrieve plaintext via an external server if HTML
mail and loading of remote content is enabled.

The PGP/MIME part is apparently not vulnerable in Evolution, but the
S/MIME seems to be (according to the authors).

It's unclear if a fix needs to be done at the evolution(-data-server)
layer or below, so feel free to reassign to an underlying library if
needed (nss for example).

We'll likely have to issue a DSA at one point.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages evolution depends on:
ii  dbus                   1.12.8-2
ii  evolution-common       3.28.2-1
ii  evolution-data-server  3.28.2-1+b1
ii  libc6                  2.27-3
ii  libcamel-1.2-61        3.28.2-1+b1
ii  libclutter-gtk-1.0-0   1.8.4-3
ii  libecal-1.2-19         3.28.2-1+b1
ii  libedataserver-1.2-23  3.28.2-1+b1
ii  libevolution           3.28.2-1
ii  libglib2.0-0           2.56.1-2
ii  libgtk-3-0             3.22.30-1
ii  libical3               3.0.1-5+b1
ii  libnotify4             0.7.7-3
ii  libsoup2.4-1           2.62.2-1
ii  libwebkit2gtk-4.0-37   2.20.2-1+b1
ii  libxml2                2.9.4+dfsg1-6.1+b1
ii  psmisc                 23.1-1+b1

Versions of packages evolution recommends:
pn  evolution-plugin-bogofilter | evolution-plugin-spamassassin  <none>
pn  evolution-plugin-pstimport                                   <none>
ii  evolution-plugins                                            3.28.2-1
ii  yelp                                                         3.28.1-1

Versions of packages evolution suggests:
pn  evolution-ews                   <none>
pn  evolution-plugins-experimental  <none>
ii  gnupg                           2.2.5-1
ii  network-manager                 1.10.8-1

-- debconf information:
  evolution/needs_shutdown:
  evolution/kill_processes:

More information about the pkg-gnome-maintainers mailing list