RFT and RFC: Updates for evolution{,-data-server}

Wed, 24 Apr 2019 02:09:54 -0700 

Hello,

The last days, I spent quite some hours on backporting and debugging
patches for CVE-2018-15587 (Signature Spoofing in PGP encrypted email)
to evolution and evolution-data-server packages for Jessie LTS. 

One problem is that the scope of CVE-2018-15587 is a bit blurry. While
the CVE description speaks specifically about the possibility to craft
emails in a way that they spuriously appear to be *signed* - a
vulnerability that got revealed in the aftermath of SigSpoof - the
corresponding bugreports link to several related OpenPGP weaknesses in
evolution{-data-server}.

E.g., our security tracker additionally links[1] to the upstream bugs
"[GPG] Mails that are not encrypted look encrypted"[2] and "Sometimes
fails to properly decrypt large GPG encrypted messages"[3].

[1] https://security-tracker.debian.org/tracker/CVE-2018-15587
[2] https://gitlab.gnome.org/GNOME/evolution-data-server/issues/3
[3] https://gitlab.gnome.org/GNOME/evolution-data-server/issues/75

I now have a working version of evolution - at least I tested it
thoroughly. It has both the signature spoofing and encryption spoofing
bugs fixed. You can find amd64 builds of the packages in my personal
repository[4], further testing much appreciated.

[4] https://people.debian.org/~mejo/debian/jessie-security/

With evolution-data-server, the situation is slightly more complicated.
I'm still debugging issues with the patches[5] that are supposed to fix
the "[GPG] Mails that are not encrypted look encrypted" issue.

[5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29
and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24

My question: do you agree that these fixes are within the scope of
CVE-2018-15587? If so, then I will continue working on the issue and
upload both of evolution and evolution-data-server in a batch once I got
the issues sorted out.

Another option would be to upload evolution to jessie-security right now
and decide that evolution-data-server is not affected by CVE-2018-15587,
since it's only prone to "encrypted message spoofing", not to "signature
spoofing". But in my eyes, that would be a sham.

Another problem is that I'm already five hours over my allocated LTS
time for April. I'm fine with doing some extra volunteer work on the
issue though.

Cheers
 jonas

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to