Bug#924616: RFT and RFC: Updates for evolution{,-data-server}

Jonas Meurer jonas at freesources.org
Wed Apr 24 11:56:18 BST 2019


Jonas Meurer:
> With evolution-data-server, the situation is slightly more complicated.
> I'm still debugging issues with the patches[5] that are supposed to fix
> the "[GPG] Mails that are not encrypted look encrypted" issue.
> 
> [5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29
> and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24
> 
> My question: do you agree that these fixes are within the scope of
> CVE-2018-15587? If so, then I will continue working on the issue and
> upload both of evolution and evolution-data-server in a batch once I got
> the issues sorted out.
> 
> Another option would be to upload evolution to jessie-security right now
> and decide that evolution-data-server is not affected by CVE-2018-15587,
> since it's only prone to "encrypted message spoofing", not to "signature
> spoofing". But in my eyes, that would be a sham.

Looking more into the core issue[1] of "[GPG] Mails that are not
encrypted look encrypted", it became clear that a lot of applications
(GnuPG[2], Enigmail[3], Mutt[4]) are affected and it's not tracked as
security issue for any of them.

In fact it's tracked for evolution{,-data-server} in the debian security
tracker only because the issue is mentioned in the CVE-2018-15587
bugreport[5].

Besides, I agree with the bug author that "this bug is certainly not in
the same category as a serious security vulnerability, such as a
plaintext leak or a signature spoof"[1].

So I changed my mind and decided to ignore the "encryption spoofing" bug
and only care about "signature spoofing". This means that
evolution-data-server is unaffected and only evolution needs to be fixed.

Cheers
 jonas

[1] https://neopg.io/blog/encryption-spoof/
[2] https://dev.gnupg.org/T4000
[3] https://sourceforge.net/p/enigmail/bugs/854/
[4] https://gitlab.com/muttmua/mutt/issues/39
[5] https://gitlab.gnome.org/GNOME/evolution/issues/120

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190424/5df6efa0/attachment.sig>


More information about the pkg-gnome-maintainers mailing list