|Summary:||<mail-client/trojita-0.7-r4: Multiple vulnerabilities (CVE-2019-10734, CVE-2020-15047)|
|Product:||Gentoo Security||Reporter:||Agostino Sarubbo <ago>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [noglsa cve]|
|Runtime testing required:||---|
|Bug Depends on:||730058|
Description Agostino Sarubbo 2020-06-25 11:17:55 UTC
From https://www.openwall.com/lists/oss-security/2020/06/25/1 : Hi folks, I would appreciate a Cc on responses as I'm not subscribed to this list. I would like to request a CVE for the following vulnerability: Summary ------- Damian Poddebniak discovered a TLS verification failure (CWE-295) in Trojitá , a fast Qt IMAP e-mail client. When sending e-mails over SMTP, all TLS errors were ignored. Background ---------- Trojita first gained support for SMTP submission in patch 0083eea5ed . Since that commit (May 2009), there's been a FIXME comment in the code that SSL errors should be handled properly. Unfortunately, this issue kept falling through the cracks and we never re-enabled TLS validation as the SMTP backend matured. As a result, outgoing SMTP connections were suspectible to a MITM attack, with authentication details including passwords and the message content potentially available to attackers. IMAP connections are not suspectible to this bug. Affected versions ----------------- All versions of Trojita up to and including v0.7 are affected. The fix  will be included in version v0.8 which will be released once the CVE gets assigned. Acknowledgement --------------- Thanks to Damian Poddebniak for reporting  this bug.  http://trojita.flaska.net/  https://invent.kde.org/pim/trojita/-/commit/0083eea5ed  https://gerrit.vesnicky.cesnet.cz/r/1035  https://bugs.kde.org/show_bug.cgi?id=423453 With kind regards, Jan -- Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow 2020-06-25 12:12:00 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=835ed520d32ad8721f0fa83b81432f244a14f187 commit 835ed520d32ad8721f0fa83b81432f244a14f187 Author: Andreas Sturmlechner <email@example.com> AuthorDate: 2020-06-25 12:08:06 +0000 Commit: Andreas Sturmlechner <firstname.lastname@example.org> CommitDate: 2020-06-25 12:11:30 +0000 mail-client/trojita: Fix improper certificate validation Bug: https://bugs.gentoo.org/729596 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <email@example.com> .../files/trojita-0.7-smtp-handle-tls-errors.patch | 82 +++++++++++++++++++++ mail-client/trojita/trojita-0.7-r3.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 165 insertions(+)
Comment 2 Sam James 2020-06-25 12:14:14 UTC
Comment 3 Andreas Sturmlechner 2020-06-25 22:38:43 UTC
Now that it was merged to master, sure.
Comment 4 Sam James 2020-06-28 21:05:20 UTC
Nobody has stabled this yet, so let's reuse the bug for the imminently-patched CVE-2019-10734. * CVE-2019-10734 Description: "In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH Münster, Germany we discovered a security issue in Trojitá: An attacker who is in possession of PGP or S/MIME encrypted messages can embed them into a multipart message and re-send them to the intended receiver. When the message is read and decrypted by the receiver, the attacker's content is shown. If the victim replies, the plaintext is leaked to an attacker's email address. The root cause for these vulnerabilities lies in the way Trojitá (and many other mail clients) handle partially encrypted multipart messages." See https://bugs.kde.org/show_bug.cgi?id=404697. Thanks to asturm for pointing this out.
Comment 5 Larry the Git Cow 2020-06-28 21:55:40 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a89ecdd740bdd213af85f03950fdcdaeef4a12ec commit a89ecdd740bdd213af85f03950fdcdaeef4a12ec Author: Andreas Sturmlechner <firstname.lastname@example.org> AuthorDate: 2020-06-28 20:47:13 +0000 Commit: Andreas Sturmlechner <email@example.com> CommitDate: 2020-06-28 21:55:22 +0000 mail-client/trojita: Fix CVE-2019-10734 KDE-bug: https://bugs.kde.org/show_bug.cgi?id=404697 Bug: https://bugs.gentoo.org/729596 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <firstname.lastname@example.org> .../trojita/files/trojita-0.7-CVE-2019-10734.patch | 104 +++++++++++++++++++++ mail-client/trojita/trojita-0.7-r4.ebuild | 84 +++++++++++++++++ 2 files changed, 188 insertions(+)
Comment 6 Agostino Sarubbo 2020-06-29 13:35:26 UTC
Comment 7 Agostino Sarubbo 2020-06-29 13:40:57 UTC
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Comment 8 Larry the Git Cow 2020-06-29 17:36:59 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dcb5b60c52945652edc27aa1505e0c48760d49 commit 29dcb5b60c52945652edc27aa1505e0c48760d49 Author: Andreas Sturmlechner <email@example.com> AuthorDate: 2020-06-29 17:25:47 +0000 Commit: Andreas Sturmlechner <firstname.lastname@example.org> CommitDate: 2020-06-29 17:36:43 +0000 mail-client/trojita: Cleanup vulnerable 0.7-r2 Bug: https://bugs.gentoo.org/729596 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <email@example.com> mail-client/trojita/trojita-0.7-r2.ebuild | 82 ------------------------------- 1 file changed, 82 deletions(-)
Comment 9 Andreas Sturmlechner 2020-06-30 19:41:34 UTC
kde proj is done here, anyway.
Comment 10 NATTkA bot 2020-06-30 20:00:31 UTC
Unable to check for sanity: > no match for package: mail-client/trojita-0.7-r4