Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 9209 - net-mail/evolution
Summary: net-mail/evolution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: x86 Linux
: Lowest critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-10-16 13:47 UTC by Daniel Ahlberg (RETIRED)
Modified: 2003-03-07 06:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2002-10-16 13:47:02 UTC
Subject: SSL certificate validation problems in Ximian Evolution 
Date: 03 Oct 2002 14:00:35 +0200 
From: Veit Wahlich <veit@legalized.de> 
To: bugtraq@securityfocus.com 
 
Discovered: 
2002-09-08, Ximian has been informed on 2002-09-09. 
 
Impact: 
medium, if SSL (IMAPS, SMTPS, POP3S) used 
none, if not 
 
Affected: 
Ximian Evolution 1.0.x and earlier 
 
Description: 
Due to missing SSL validation code, Evolution's camel component is 
vulnerable to common SSL man-in-the-middle attacks, independent of the 
SSL issues currently in discussion. Certificates accepted once are no 
longer checked by camel. 
The behavior described below has been verified using both self-signed 
certificates as well as a regular valid Thawte-signed certificate (but 
regarded invalid by camel) for the server and a self-signed certificate 
for the attacker. As the valid certificate has been regarded invalid, it 
is also needed to be checked out with a certificate from valid oder 
valid-made CA. 
 
Solution: 
According to Ximian, Evolution 1.1.x (beta of upcoming 1.2 branch) is no 
longer affected, so those people who would like to trust in SSL 
connections should consider upgrading. 
Ximian has released Evolution 1.1.1. 
 
Exploitation Details: 
Imagine e.g. an IMAP connection over SSL. After a connection breakdown, 
Evolution quietly re-establishes the IMAPS connection on next access - 
but it seems to not check the identity of the peer. 
During the time period no connection is established, the certificate is 
replaced, e.g. by a SSL m-i-t-m attack, by the attacker's self-signed 
certificate, allowing him to read and even modify all data transfered. 
The attacker might also setup SSL m-i-t-m filters first and then 
drop/kill the connection still established. 
Evolution re-establishes the connection without showing any warning 
dialog. Using POP3 and SMTPS over the same certificates (and host) does 
not postulate any validation as well. 
 
Regards, 
// Veit Wahlich
Comment 1 Spider (RETIRED) gentoo-dev 2002-10-16 17:26:42 UTC
there is no fix avaiable for this from what I've seen, We better issue a warning
and suggest to not trust ssl in this version

1.1.x are unstable betas, not sure if we want to support those. I know I would
rather not support evo at all, but I'm biased. 
Comment 2 synonymousca 2002-12-08 15:12:31 UTC
Evolution 1.2's been in portage for about a month now. Only Bug 11429 is filed
against it here, and that one appears to be a weird 'works for everyone but
reporter' type.

Time to unmask it (at least so far as the unstable profile is concerned), perhaps?

Note this (http://forums.gentoo.org/viewtopic.php?t=23919) thread on the forums,
though. I've experienced this crash as well, and can confirm that the usage of
the linked replacement file eliminates them.
Comment 3 Martin Schlemmer (RETIRED) gentoo-dev 2002-12-28 05:30:16 UTC
It has other issues as well.  For instance, it will crash when trying to add or
view attachments with gnome-mime-data-2 and not version 1.  I guess we should
add a bug by Ximian if not already ...
Comment 4 Daniel Ahlberg (RETIRED) gentoo-dev 2003-03-07 06:06:51 UTC
too late