Hi again Also I think we need to consider the backwards compatibility of this. I guess there are quite a lot of emails with text before and after the signed text. If they will no longer be accepted this essentially means that the purpose of this function is pointless giving a less secure system than before. Less secure because most messages will not be verified and legitimate messages will be considered insecure, even if they are not. The user of the system cannot tell the difference.
// Ola On Mon, 7 Sep 2020 at 09:56, Ola Lundqvist <o...@inguza.com> wrote: > Hi > > To completely fix the second part of this CVE I think an API change is > necessary. > The API need to return a list of unsigned and signed portions of the > message so the application using it can make it visible what parts are > signed and what parts are not. > However such a change is large and cannot be done in LTS. > > Regarding the security purpose of the hash information I cannot really > judge. I think it serves very little function but I could be wrong. > > Cheers > > // Ola > > On Mon, 7 Sep 2020 at 01:08, Brian May <b...@debian.org> wrote: > >> Attached is my patch for Stretch, based on the upstream patch. >> >> I am a bit uneasy about applying this and marking CVE-2019-11841 as >> fixed, because contrary to what upstream say I don't think >> CVE-2019-11841 is actually fixed. From the CVE description: >> >> [...] However, the Go clearsign package ignores the value of this >> header, which allows an attacker to spoof it. Consequently, an >> attacker can lead a victim to believe the signature was generated >> using a different message digest algorithm than what was actually >> used. [...] >> >> The upstream patch has done nothing to address this. >> -- >> Brian May <b...@debian.org> >> > > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > | o...@inguza.com o...@debian.org | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > --------------------------------------------------------------- > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
