From $URL: Using Content-Type = multipart/alternative, it is possible to trick Enigmail into displaying a valid signature status for a MIME part that is actually not signed. Such messages have the following structure (or similar): multipart/alternative |- multipart/signed | |- text/plain | |- text/html Fixed in 2.1.5. Reproducer: https://sourceforge.net/p/enigmail/bugs/1044/attachment/Sample%20Message.eml https://sourceforge.net/p/enigmail/bugs/_discuss/thread/90e18ceedb/e1d4/attachment/Pubkey.asc References: https://sourceforge.net/p/enigmail/bugs/1044/
amd64 & x86 stable
ppc64 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3fe9da9fdba4143d89df7f86898af4e12fd779c2 commit 3fe9da9fdba4143d89df7f86898af4e12fd779c2 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-25 16:40:49 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-25 16:41:27 +0000 x11-plugins/enigmail: security cleanup (bug #706134) Bug: https://bugs.gentoo.org/706134 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> x11-plugins/enigmail/Manifest | 3 - x11-plugins/enigmail/enigmail-2.0.12-r1.ebuild | 84 --------------------- x11-plugins/enigmail/enigmail-2.0.8-r1.ebuild | 83 --------------------- x11-plugins/enigmail/enigmail-2.1.2-r1.ebuild | 85 ---------------------- x11-plugins/enigmail/enigmail-2.1.2.ebuild | 84 --------------------- .../enigmail-2.0.12-enable_seamonkey_support.patch | 20 ----- .../enigmail/files/enigmail-2.1.2-mimeverify.patch | 44 ----------- 7 files changed, 403 deletions(-)
GLSA Vote: No! Repository is clean, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1ac19fd9458d60493f13daf7f58ff57856dbb2f commit d1ac19fd9458d60493f13daf7f58ff57856dbb2f Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-25 18:17:17 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-25 18:18:19 +0000 Partially revert "x11-plugins/enigmail: security cleanup (bug #706134)" www-client/seamonkey only supports <=x11-plugins/enigmail-2.1.0. Bug: https://bugs.gentoo.org/706134 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> x11-plugins/enigmail/Manifest | 1 + x11-plugins/enigmail/enigmail-2.0.12-r1.ebuild | 84 ++++++++++++++++++++++ .../enigmail-2.0.12-enable_seamonkey_support.patch | 20 ++++++ 3 files changed, 105 insertions(+)