Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 9209
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Daniel Ahlberg (RETIRED) <aliz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 9209 depends on: Show dependency tree
Bug 9209 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2002-10-16 13:47 0000 
Subject: SSL certificate validation problems in Ximian Evolution 
Date: 03 Oct 2002 14:00:35 +0200 
From: Veit Wahlich <veit@legalized.de> 
To: bugtraq@securityfocus.com 
 
Discovered: 
2002-09-08, Ximian has been informed on 2002-09-09. 
 
Impact: 
medium, if SSL (IMAPS, SMTPS, POP3S) used 
none, if not 
 
Affected: 
Ximian Evolution 1.0.x and earlier 
 
Description: 
Due to missing SSL validation code, Evolution's camel component is 
vulnerable to common SSL man-in-the-middle attacks, independent of the 
SSL issues currently in discussion. Certificates accepted once are no 
longer checked by camel. 
The behavior described below has been verified using both self-signed 
certificates as well as a regular valid Thawte-signed certificate (but 
regarded invalid by camel) for the server and a self-signed certificate 
for the attacker. As the valid certificate has been regarded invalid, it 
is also needed to be checked out with a certificate from valid oder 
valid-made CA. 
 
Solution: 
According to Ximian, Evolution 1.1.x (beta of upcoming 1.2 branch) is no 
longer affected, so those people who would like to trust in SSL 
connections should consider upgrading. 
Ximian has released Evolution 1.1.1. 
 
Exploitation Details: 
Imagine e.g. an IMAP connection over SSL. After a connection breakdown, 
Evolution quietly re-establishes the IMAPS connection on next access - 
but it seems to not check the identity of the peer. 
During the time period no connection is established, the certificate is 
replaced, e.g. by a SSL m-i-t-m attack, by the attacker's self-signed 
certificate, allowing him to read and even modify all data transfered. 
The attacker might also setup SSL m-i-t-m filters first and then 
drop/kill the connection still established. 
Evolution re-establishes the connection without showing any warning 
dialog. Using POP3 and SMTPS over the same certificates (and host) does 
not postulate any validation as well. 
 
Regards, 
// Veit Wahlich

------- Comment #1 From Spider (RETIRED) 2002-10-16 17:26:42 0000 ------- 
there is no fix avaiable for this from what I've seen, We better issue a
warning
and suggest to not trust ssl in this version

1.1.x are unstable betas, not sure if we want to support those. I know I would
rather not support evo at all, but I'm biased.

------- Comment #2 From synonymousca@yahoo.com 2002-12-08 15:12:31 0000 ------- 
Evolution 1.2's been in portage for about a month now. Only Bug 11429 is filed
against it here, and that one appears to be a weird 'works for everyone but
reporter' type.

Time to unmask it (at least so far as the unstable profile is concerned), perhaps?

Note this (http://forums.gentoo.org/viewtopic.php?t=23919) thread on the forums,
though. I've experienced this crash as well, and can confirm that the usage of
the linked replacement file eliminates them.

------- Comment #3 From Martin Schlemmer (RETIRED) 2002-12-28 05:30:16 0000 ------- 
It has other issues as well.  For instance, it will crash when trying to add or
view attachments with gnome-mime-data-2 and not version 1.  I guess we should
add a bug by Ximian if not already ...

------- Comment #4 From Daniel Ahlberg (RETIRED) 2003-03-07 06:06:51 0000 ------- 
too late
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug