Bug#924616: RFT and RFC: Updates for evolution{,-data-server}
Jonas Meurer
jonas at freesources.org
Fri Apr 26 19:46:32 BST 2019
Hi Mike,
Mike Gabriel:
> OnĀ Mi 24 Apr 2019 12:56:18 CEST, Jonas Meurer wrote:
>
>> Jonas Meurer:
>>> With evolution-data-server, the situation is slightly more complicated.
>>> I'm still debugging issues with the patches[5] that are supposed to fix
>>> the "[GPG] Mails that are not encrypted look encrypted" issue.
>>>
>>> [5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29
>>> and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24
>>>
>>> My question: do you agree that these fixes are within the scope of
>>> CVE-2018-15587? If so, then I will continue working on the issue and
>>> upload both of evolution and evolution-data-server in a batch once I got
>>> the issues sorted out.
>>>
>>> Another option would be to upload evolution to jessie-security right now
>>> and decide that evolution-data-server is not affected by CVE-2018-15587,
>>> since it's only prone to "encrypted message spoofing", not to "signature
>>> spoofing". But in my eyes, that would be a sham.
>>
>> Looking more into the core issue[1] of "[GPG] Mails that are not
>> encrypted look encrypted", it became clear that a lot of applications
>> (GnuPG[2], Enigmail[3], Mutt[4]) are affected and it's not tracked as
>> security issue for any of them.
>
> Is it required to coordinate an according update of those CVEs in
> data/CVE/list with the security team? Sounds like it.
Yep, you're correct. The Security Team is in the loop now and basically
agrees with my evaluation.
>> In fact it's tracked for evolution{,-data-server} in the debian security
>> tracker only because the issue is mentioned in the CVE-2018-15587
>> bugreport[5].
>>
>> Besides, I agree with the bug author that "this bug is certainly not in
>> the same category as a serious security vulnerability, such as a
>> plaintext leak or a signature spoof"[1].
>>
>> So I changed my mind and decided to ignore the "encryption spoofing" bug
>> and only care about "signature spoofing". This means that
>> evolution-data-server is unaffected and only evolution needs to be fixed.
>
> Your choice of priority sounds good to me.
Thanks a lot for your comments! I just went ahead and uploaded a fixed
evolution to jessie-security. I also consequently removed
evolution-data-server from data/dla-needed.txt.
Cheers
jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190426/a5d6e59a/attachment-0001.sig>
More information about the pkg-gnome-maintainers
mailing list