Claws Mail leaks cleartext of encrypted email to the IMAP server
With the default configuration, it leaks at least to the Drafts (according to
Bug #8986) and Queue IMAP folders (see “PGP MIME is insecure (for me)” thread on -dev@ https://mailman.boum.org/pipermail/tails-dev/2015-February/008275.html).
Setting Elevated priority: even if we plan to replace it with Icedove, we still ship Claws Mail and those issues seem serious to me. Worst case, it can be addressed by documentation, and issueing a security advisory pointing to that doc. Existing users of Claws Mail with persistence will need to be explained how to fix their settings anyway.
|Bug #8986: Claws Mail leaks cleartext of encrypted email to the Drafts IMAP folder||Resolved||
|Bug #9000: Claws Mail leaks cleartext of encrypted email to the Queue IMAP folder||Rejected||
|Bug #9161: Write a security advisory about Claws leaking cleartext to IMAP server||Resolved||sajolida||
|Related to Tails - Feature #5316: Improve OpenPGP documentation||Confirmed||2014-01-05|
#4 Updated by sajolida 2015-04-05 19:22:01
I could write a security advisory but first I’d like to be sure whether the problem can or cannot be adressed by technical means in our next version. As the resulting advisory will be much different. So make sure to ping me where this has been investigated enough.
#5 Updated by intrigeri 2015-04-06 08:45:14
> I could write a security advisory
> but first I’d like to be sure whether the problem can or cannot be adressed by technical means in our next version.
> So make sure to ping me where this has been investigated enough.
I’m not aware of anyone being investigating this topic, so I’m afraid you might wait for a while :(
So perhaps we should set a timeout (e.g. 1-2 weeks before the freeze for 1.4).
#6 Updated by sajolida 2015-04-06 14:51:30
anonym did something in https://mailman.boum.org/pipermail/tails-dev/2015-March/008504.html
I’m fine with the timeout. We could use the date of the freeze as deadline because if it’s not fixed by then, it won’t be fixed in time.
#7 Updated by intrigeri 2015-04-06 15:10:38
> anonym did something in https://mailman.boum.org/pipermail/tails-dev/2015-March/008504.html
Trying to beat me at arguing endlessly and having the last word, are you? Then good luck with it, I still have a little bit more experience at it ;)
Joke aside, in case you’re somewhat counting on anonym, here’s some additional info: he made it clear since that he isn’t taking responsibility for fixing that bug during the 1.4 dev cycle. That’s what I meant with “I’m not aware of anyone being investigating this topic”.
> That’s now
#8 Updated by bertagaz 2015-04-15 08:44:56
- Starter set to No
Had a quick look, and it seems to be a known bug referenced or mentioned here and there:
One workaround I’ve found is to create a local mail folder in claws mail, and then configure the IMAP account to use this local drafts/ and queue/ folder in the advanced section of its configuration.
The draft or deferred emails are then stored in this folders. That’s half satisfying, because the emails are not stored on the IMAP server, but they still are unencrypted.
I’m not sure how this can be used in our shipped default configuration bits, but it should be doable. That’s probably the next step to test if we think it’s still relevant to use this workaround.
At least that might be something worth mentioning if we stick on writing a security advisory in the 1.4 release.
#9 Updated by intrigeri 2015-04-15 13:39:14
> I’m not sure how this can be used in our shipped default configuration bits, but it should be doable. That’s probably the next step to test if we think it’s still relevant to use this workaround.
Agreed, best would be to make this the default configuration for new accounts. Migrating existing accounts is probably harder, and anyway it’s less important since it can be covered by documentation + a security advisory.
> At least that might be something worth mentioning if we stick on writing a security advisory […]
Agreed, IMO that’s precisely what we should document + point to in the security advisory, if we can’t automate it.
#10 Updated by bertagaz 2015-04-15 14:33:37
In the end it seems not possible to use the accountrc.tmpl file to seed the user configuration with one that would workaround this issue.
We can’t use the
draft_folder= in there according to the claws-mail manual (and tests).
So we’re probably stuck with using a wrapper that would:
- add a mh to the folderlist.xml file once it exists and is configured to use IMAP
- configure the settings above to use this as the default Queue and Drafts folders.
Doesn’t sound that easy.
Maybe the claws mail python plugin can help here, but I’m not sure it gives access to this settings.
#11 Updated by intrigeri 2015-04-15 15:44:32
> So we’re probably stuck with using a wrapper that would:
> * add a mh to the folderlist.xml file once it exists and is configured to use IMAP
> * configure the settings above to use this as the default Queue and Drafts folders.
> Doesn’t sound that easy.
Indeed :( IMO it’s not worth it and likely to be fragile, so we should go the documentation + security advisory way, given we’re going to switch to Icedove soonish. However, perhaps we should have a wrapper around Claws Mail that warns users about it and points to the corresponding documentation. Perhaps that wrapper can create a file the first time it’s run, and then not display the warning if that file exists.
#12 Updated by sajolida 2015-04-18 19:57:09
- Assignee set to sajolida
Now assigning this to myself to prepare documentation and a security warning.
If I understand correctly, I should build upon the workaround described in note-#8 and http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2661#c17.
And also, regarding the debugging process behind that bug shall we contact the Claws Mail people about the fact that this bug affects Tails and that we are considering issuing a security advisory regarding that issue? Because this will bring them (and us) quite a bit of bad advertising and maybe they prefer to fix it promptly instead :) Could this go into a Debian security update?
#13 Updated by intrigeri 2015-04-19 06:06:38
> And also, regarding the debugging process behind that bug shall we contact the Claws
> Mail people about the fact that this bug affects Tails and that we are considering
> issuing a security advisory regarding that issue? Because this will bring them (and
> us) quite a bit of bad advertising and maybe they prefer to fix it promptly
> instead :)
> Could this go into a Debian security update?
I’m not sure what’s “this”, given we actually have no fix but merely doc workarounds.
#14 Updated by bertagaz 2015-04-19 08:13:39
Here’s a quick sum up of the workaround to this bug, to help in writing the documentation:
After having configured an IMAP account in Claws-mail, one must got to
Add mailbox ->
Then choose a path where to store the new mailbox, somewhere under $HOME/.claws-mail to take advantages of the persistence.
Once done, go to the
Configuration menu, choose
Preference for current account..., then in the
Advanced menu, in the
Folder section check
Put queued messages in and browse to choose the newly created MH queue folder (and not the IMAP one). Repeat for the
Put draft messages in. Then you’re done.
Hope this helps.
#15 Updated by sajolida 2015-04-22 11:03:13
> I’m not sure what’s “this”, given we actually have no fix but merely doc workarounds.
I have the impression that Claws upstream didn’t really get the impact
of this bug and didn’t take it as seriously as it should.
So, if Tails points out to them that it really is important and that we
are about to issue a security advisory about it, then Claws might
release a fix. If this happens, could their fix go into a Debian
security update, and then we wouldn’t have to issue that security
advisory if done quickly?
#16 Updated by intrigeri 2015-04-23 01:29:40
> So, if Tails points out to them that it really is important and that we are about to issue a security advisory about it, then Claws might release a fix.
I think it’s worth trying.
> If this happens, could their fix go into a Debian security update, and then we wouldn’t have to issue that security advisory if done quickly?
So, what fix do we want to suggest them? I guess that creating local folders and using them for saving drafts etc. is too involved for a backportable security patch (and not so good UX wise). How do other MUAs do (in particular Icedove + Enigmail)?
#19 Updated by sajolida 2015-04-26 13:16:22
I commented on their bug, see http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2661#c19.
#20 Updated by BitingBird 2015-04-26 15:39:30
They answered, saying the adequate ticket is http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2965
#23 Updated by sajolida 2015-05-05 19:42:30
- Assignee deleted (
- Target version deleted (
We did all we could do on this issue and will release an advisory before 1.4. There’s not much else we can do for the time being, so I’m removing this from 1.4 as it won’t be solved by then. Deassigning it from me either.
#25 Updated by bertagaz 2015-07-14 06:35:20
> Why was this issue not fixed in Tails 1.4.1? The fix was available from Claws Mail GIT for a week before the date of Tails 1.4.1 release.
Yeah sure, so we should have build a new Debian package that we’d either upload into Debian (which is the path we prefer as discussed on the tails-dev list) or in our own APT repo, tested this patch (because it’s not so obvious it actually fixes the bugs we raised), all that in a week, after we freezed the 1.4.1 release?
Sorry, but that’s not possible, we won’t put the effort to integrate such a patch in such a short time without proper testing. Needless to say that we are already all quite busy with Tails.
#27 Updated by paul 2015-07-15 12:12:11
@bertagaz: well, you have barely more than a handful of security issues listed, so breaking the freeze seems reasonable to me, although I don’t know what you polcies are. I think if you had tested the patch you would find it quite obvious that it fixes the bug.
@intrigeri: a CVE would have been inappropriate for this, for reasons cited elsewhere.
#31 Updated by Kurtis 2015-08-13 11:26:16
Just for references purposes, here’s the link to the bug fix on the Claws-Mail site. http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2965
Will claws-mail be updated upstream in Debian to include this bug fix and then brought into Tails? If not, how will this get fixed?
#32 Updated by intrigeri 2015-08-18 05:32:03
> Will claws-mail be updated upstream in Debian to include this bug fix and then brought into Tails?
Once the fix is in Debian unstable, someone might want to talk to the Debian security team about it.
No idea if the upstream patches apply on Debian oldstable (Wheezy) and/or stable (Jessie) version of Claws Mail, though.
> If not, how will this get fixed?
By switching to Icedove.
#33 Updated by baitisj 2015-08-22 12:31:18
I opened a more narrowly defined issue:
I think this covers the other half of the concern voiced previously that was marked as “resolved”