[Pkg-mozext-maintainers] Bug#970456: thunderbird enigmail remote DoS and security downgrade by using signed attachments

[Rafał Kryptolog]

Package: enigmail
Version: 2:2.1.3+ds1-4~deb10u2

Please clasify it as security problem for listed below reasons.

Attacker sends moderatelly-sized message e.g. 10 MB and signs it using
enigmail,
e.g. using the same version of thunderbird with enigmail.

When recipient (the victim) using this version of enigmail on debian stable
opens this message, then thunderbird will freeze for 40 seconds using 100%
of 1 core of the CPU (on 4-core ~2.5 GHz amd64).

This is a remote DoS on the thunderbird.

When ever he selects the message, or opens any attachments on it, each time
thunderbird freezes.

Also each time it consumes vast amounts of RAM (e.g. 100 to 500 MB per
action) of resident size.

If this happens few times, or on already loaded machine, even computer with
reasonable amount of free RAM and swap space, will start OOMing or will
generally hang - which is a broader remote DoS.

Already closing and restarting thunderbird seems to free the memory.

Opening an email with 10 1-MB attachments that is signed using openpgp, can
take for example 10-20 minutes, or can likely crash in middle of it.

This also is a security degrade attack, it causes the user to refrain from
usage of encryption, as it turns out popular email clients fail to handle
it in reasonable manner.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-mozext-maintainers/attachments/20200916/97c52624/attachment.html>