[Pkg-mozext-maintainers] Bug#891882: enigmail 2.0~beta1 runs unsandboxed code (pepmda) from the Internet without prompting the user

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 1 22:50:20 UTC 2018 

Package: enigmail
Version: 2:2.0~beta1-1
Severity: normal

enigmail 2.0 downloads pepmda from the internet by default, even for
users who have not opted into using pep.  This includes the following
files, which either duplicate code already in debian, or which we
don't have source for in debian:

  3589171  28708 -rwxr-xr-x   1 tst      tst      29394216 Feb 25 14:48 pepmda/bin/pep-json-server
  3589180      4 -rw-r--r--   1 tst      tst          1206 Feb 25 14:49 pepmda/release.json
  3589178  18816 -rw-r--r--   1 tst      tst      19267584 Feb 25 14:48 pepmda/share/pEp/system.db
  3589169      4 -rw-r--r--   1 tst      tst          1150 Feb 25 14:49 pepmda/share/pEp/html/json-test.ico
  3589177      4 -rw-r--r--   1 tst      tst          2991 Feb 25 14:49 pepmda/share/pEp/html/index.html
  3572660     20 -rw-r--r--   1 tst      tst         18104 Feb 25 14:49 pepmda/share/pEp/html/interactive.js
  3589188     84 -rw-r--r--   1 tst      tst         85589 Feb 25 14:49 pepmda/share/pEp/html/jquery-2.2.0.min.js
  3534200   4292 -rwxr-xr-x   1 tst      tst       4393056 Feb 25 14:48 pepmda/lib/libetpan.so.17
  3589184    304 -rw-r--r--   1 tst      tst        308360 Feb 25 14:48 pepmda/lib/libevent-2.0.so.5
  3589182    596 -rwxr-xr-x   1 tst      tst        610128 Feb 25 14:48 pepmda/lib/libpEpEngine.so
  3572662   1796 -rw-r--r--   1 tst      tst       1835928 Feb 25 14:48 pepmda/lib/libstdc++.so.6
  3589170     84 -rw-r--r--   1 tst      tst         85112 Feb 25 14:48 pepmda/lib/libgpg-error.so.0
  3589189    284 -rw-r--r--   1 tst      tst        289192 Feb 25 14:48 pepmda/lib/libgpgme.so.11
  3589185   1064 -rw-r--r--   1 tst      tst       1088904 Feb 25 14:48 pepmda/lib/libsqlite3.so.0
  3589183    196 -rw-r--r--   1 tst      tst        198432 Feb 25 14:48 pepmda/lib/libboost_thread.so.1.62.0
  3589174    108 -rw-r--r--   1 tst      tst        108816 Feb 25 14:48 pepmda/lib/libz.so.1
  3589186     80 -rw-r--r--   1 tst      tst         81560 Feb 25 14:48 pepmda/lib/libassuan.so.0
  3589172    608 -rw-r--r--   1 tst      tst        618832 Feb 25 14:48 pepmda/lib/libboost_program_options.so.1.62.0
  3589179     96 -rw-r--r--   1 tst      tst         97392 Feb 25 14:48 pepmda/lib/libgcc_s.so.1
  3589181    116 -rw-r--r--   1 tst      tst        116672 Feb 25 14:48 pepmda/lib/libboost_filesystem.so.1.62.0
  3589173     24 -rw-r--r--   1 tst      tst         22288 Feb 25 14:48 pepmda/lib/libuuid.so.1
  3589187     20 -rw-r--r--   1 tst      tst         18520 Feb 25 14:48 pepmda/lib/libboost_system.so.1.62.0


I don't think it is appropriate for a package in debian; users can't
ensure that these packages are kept up-to-date (or that they meet
debian standards), and they don't necessarily have the free software
guarantees that they might expect, even if pep as distributed today is
entirely free software.

in particular, they are fetched by package/installPep.jsm, which pulls
the info about the p≡p library from
https://www.enigmail.net/service/getPepDownload.svc, which looks like
it permits the controller of https://www.enigmail.net/ to serve
arbitrary data (the fingerprints of the files to download are not
embedded in the enigmail source).

(there are other nagging technical details too, such as this profile
not working in a multiarch scenario, but those are secondary to the
software freedom and arbitrary code execution concerns above)

This appears to remain the situation in subsequent betas of enigmail,
so i'm going to raise the concern upstream.

I do not think this enigmail should make it into debian unstable with
this behavior.  While i'm trying to figure out a satisfactory solution
with upstream, i'll most likely try to patch this part out if i can
figure out how to do so cleanly.

   --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages enigmail depends on:
ii  gnupg                    2.2.5-1
ii  gnupg-agent              2.2.5-1
ii  gnupg2                   2.2.5-1
ii  gpg-agent [gnupg-agent]  2.2.5-1
ii  icedove                  1:52.4.0-1
ii  thunderbird              1:52.6.0-1+b1

Versions of packages enigmail recommends:
ii  pinentry-gnome3 [pinentry-x11]  1.1.0-1
ii  pinentry-gtk2 [pinentry-x11]    1.1.0-1
ii  pinentry-qt [pinentry-x11]      1.1.0-1

enigmail suggests no packages.

-- no debconf information

More information about the Pkg-mozext-maintainers mailing list