[Pkg-mozext-maintainers] Bug#898630: enigmail: efail attack against enigmail

Yves-Alexis Perez corsac at debian.org
Mon May 14 14:15:26 BST 2018


Package: enigmail
Severity: grave
Tags: security
Justification: user security hole

Hi Daniel,

in case you haven't already heard about it by now, a vulnerability has
been published against S/MIME and PGP/MIME in various email clients,
including thunderbird (and enigmail).

I'm unsure if CVE-2017-17688 (OpenPGP CFB gadget attacks) applies
to Thunderbird/enigmail or only GnuPG, but the PGP/MIME vulnerability
does apply to enigmail.

Some fixes apparently went in to enigmail 2.0.0 but I'm unsure which of
them yet, so any pointers appreciated (for example by closing with the
correct version number :).

I think we'll likely want to release a DSA too.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages enigmail depends on:
ii  gnupg                    2.2.5-1
ii  gpg-agent [gnupg-agent]  2.2.5-1
pn  thunderbird | icedove    <none>

Versions of packages enigmail recommends:
ii  pinentry-gnome3 [pinentry-x11]  1.1.0-1+b1
ii  pinentry-gtk2 [pinentry-x11]    1.1.0-1+b1

enigmail suggests no packages.



More information about the Pkg-mozext-maintainers mailing list