Bug #16738: Enigmail vulnerable to signature spoofing (again): CVE-2019-12269

Bug #16738

Enigmail vulnerable to signature spoofing (again): CVE-2019-12269

Added by segfault 2019-05-21 21:35:09 . Updated 2019-08-15 06:28:24 .

Status:

Resolved

Priority:

Normal

Assignee:

intrigeri

Category:

Target version:

Tails_4.0

Start date:

Due date:

% Done:

100%

Feature Branch:

bugfix/16738-enigmail-signature-spoofing

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Email Client

Deliverable for:

Description

Enigmail 2.0.11 was released today which fixes another signature spoofing vulnerability:
https://www.enigmail.net/index.php/en/download/changelog#enig2.0.11
https://sourceforge.net/p/enigmail/bugs/983/

Subtasks

Related issues

Related to Tails - ~~Bug #16978~~: Install Enigmail from Buster	Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team	Confirmed

History

#1 Updated by intrigeri 2019-05-23 07:26:45

blocks Feature #16209: Core work: Foundations Team added

#2 Updated by intrigeri 2019-05-23 07:26:52

Affected tool set to Email Client

#3 Updated by segfault 2019-05-28 22:59:45

Description updated

2.0.11 is in sid now: https://tracker.debian.org/news/1040308/accepted-enigmail-22011ds1-1-source-into-unstable

And there is a CVE (CVE-2019-12269) but it’s not tracked in the Debian security bug tracker, so it’s not entirely clear to me whether the version we ship in 3.14 (2.0.8-5~deb9u1 from Stretch) is vulnerable, but I assume that it is (https://nvd.nist.gov/vuln/detail/CVE-2019-12269 says that versions before 2.0.11 are vulnerable).

There is no new version in Stretch.

#4 Updated by intrigeri 2019-06-01 10:10:54

> And there is a CVE (CVE-2019-12269) but it’s not tracked in the Debian security bug tracker, so it’s not entirely clear to me whether the version we ship in 3.14 (2.0.8-5~deb9u1 from Stretch) is vulnerable, but I assume that it is (https://nvd.nist.gov/vuln/detail/CVE-2019-12269 says that versions before 2.0.11 are vulnerable).

https://security-tracker.debian.org/tracker/CVE-2019-12269 says that 2:2.0.8-5~deb9u1 is vulnerable.

#5 Updated by intrigeri 2019-06-22 13:43:22

Subject changed from Enigmail vulnerable to signature spoofing (again) to Enigmail vulnerable to signature spoofing (again): CVE-2019-12269

#6 Updated by intrigeri 2019-06-22 13:46:03

Target version set to Tails_3.15

Let’s try to fix this in 3.15. Currently the only realistic option seems to be to upgrade to the version that’s in sid.

#7 Updated by segfault 2019-06-22 19:27:14

intrigeri wrote:
> Currently the only realistic option seems to be to upgrade to the version that’s in sid.

The version in sid depends on a newer libc version. Not sure whether it’s a good idea to upgrade that. Here is the full list of packages installed/upgraded when installing enigmail from sid on Tails 3.14:

amnesia@amnesia:~$ sudo apt install -t sid enigmail
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  dirmngr gnupg gnupg-agent gnupg-l10n gnupg-utils gpg gpg-agent
  gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv libassuan0 libc-bin
  libc-l10n libc6 libgcrypt20 libgnutls30 libhogweed4 libidn2-0 libnettle6
  libp11-kit0 libtasn1-6 libunistring2 locales-all nocache p11-kit-modules
  scdaemon
Suggested packages:
  parcimonie xloadimage glibc-doc locales gnutls-bin
The following NEW packages will be installed:
  gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf
  gpgsm libunistring2
The following packages will be upgraded:
  dirmngr enigmail gnupg gnupg-agent gpgv libassuan0 libc-bin libc-l10n libc6
  libgcrypt20 libgnutls30 libhogweed4 libidn2-0 libnettle6 libp11-kit0
  libtasn1-6 locales-all nocache p11-kit-modules scdaemon
20 upgraded, 9 newly installed, 0 to remove and 1300 not upgraded.
Need to get 27.9 MB of archives.
After this operation, 114 MB of additional disk space will be used.

#8 Updated by intrigeri 2019-06-24 07:31:28

Target version changed from Tails_3.15 to Tails_4.0

segfault wrote:
> intrigeri wrote:
>> Currently the only realistic option seems to be to upgrade to the version that’s in sid.

> The version in sid depends on a newer libc version.

Ouch, indeed it depends on gnupg (>= 2.2.8-2~). So I say let’s not do extra work to handle this with higher priority than Debian does. If/when this is fixed in Stretch, great, it’ll be fixed in Tails. In the meantime, we can fix this in feature/buster by installing the package from sid. But it would be nice to check with dkg why this is not fixed in Buster.

#9 Updated by segfault 2019-07-11 20:39:34

Status changed from Confirmed to In Progress

Applied in changeset commit:tails|88cd908eec61dd3dae36b89c02849e48144ee332.

#10 Updated by segfault 2019-07-11 20:41:21

Feature Branch set to bugfix/16738-enigmail-signature-spoofing

intrigeri wrote:
> So I say let’s not do extra work to handle this with higher priority than Debian does. If/when this is fixed in Stretch, great, it’ll be fixed in Tails. In the meantime, we can fix this in feature/buster by installing the package from sid.

Pushed a commit to the feature branch, waiting for Jenkins results.

> But it would be nice to check with dkg why this is not fixed in Buster.

I agree. We could do this here, right?

#11 Updated by segfault 2019-07-11 20:42:03

Assignee set to segfault

#12 Updated by intrigeri 2019-07-11 21:06:17

>> But it would be nice to check with dkg why this is not fixed in Buster.

> I agree. We could do this here, right?

We can try :)

#13 Updated by segfault 2019-07-14 18:37:43

@dkg: Hi! Are there any plans to fix CVE-2019-12269 [1] in Buster?

[1] https://security-tracker.debian.org/tracker/CVE-2019-12269

#14 Updated by segfault 2019-07-14 18:44:09

Ah, just took another look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929363 and saw the reference to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931126. There it looks like an updated enigmail version will be available either via Buster’s security archive or in the first point release.

#15 Updated by segfault 2019-07-15 23:08:58

Status changed from In Progress to Needs Validation
Assignee deleted (~~segfault~~)

The only failed test scenario is unrelated to enigmail (https://jenkins.tails.boum.org/job/test_Tails_ISO_bugfix-16738-enigmail-signature-spoofing/2/cucumberTestReport/).

#16 Updated by intrigeri 2019-07-30 23:33:32

Status changed from Needs Validation to In Progress
Assignee set to segfault

> Ah, just took another look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929363 and saw the reference to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931126. There it looks like an updated enigmail version will be available either via Buster’s security archive or in the first point release.

Since then, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931126#35 suggests 2.0.11 might not go into Buster 10.1 and more work is needed.
Still, this should not prevent us from fixing this in 4.0, somehow.

Regarding the proposed branch:

Now that Buster is out, I’d rather pin Bullseye (== testing) than sid, which feels less risky.
It would be nice to have a ticket to revert this at some point. I suggest target version = 3.17, shortly after the Buster 10.1 release.
Did you test Enigmail? I see you’re reporting about automated test suite results, but they don’t exercise Enigmail.

Feel free to merge yourself into feature/buster with these fixed, and then delete the topic branch so that Jenkins stops building it.

#17 Updated by segfault 2019-08-14 15:32:34

related to ~~Bug #16978~~: Install Enigmail from Buster added

#18 Updated by segfault 2019-08-14 15:34:37

Status changed from In Progress to Needs Validation
Assignee changed from segfault to intrigeri

intrigeri wrote:
> * Now that Buster is out, I’d rather pin Bullseye (== testing) than sid, which feels less risky.

I had to enable the Bullseye APT repo for that.

> * It would be nice to have a ticket to revert this at some point. I suggest target version = 3.17, shortly after the Buster 10.1 release.

Done, see ~~Bug #16978~~.

> * Did you test Enigmail? I see you’re reporting about automated test suite results, but they don’t exercise Enigmail.

I thought that we had Enigmail tests in the automated test suite. I now tested it manually.

> Feel free to merge yourself into feature/buster with these fixed, and then delete the topic branch so that Jenkins stops building it.

I’ll let you have one more look because I had to enable the Bullseye repo.

#19 Updated by intrigeri 2019-08-15 06:28:25

Status changed from Needs Validation to Resolved
% Done changed from 0 to 100

Applied in changeset commit:tails|931874d35999be7072eeab3f27f2bfd528f61412.