Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 811912

Summary: <mail-client/thunderbird{-bin,}-91.3.2: ElGamal plaintext recovery via bundled dev-libs/botan (CVE-2021-40529)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 811909    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:36:01 UTC 
CVE-2021-40529:

The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.


Unreleased in Botan (https://github.com/randombit/botan/pull/2790), and doesn't seem the patch is in Thunderbird yet.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-03 02:29:06 UTC 
Fixed in 2.18.2.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-05 19:26:02 UTC 
(In reply to John Helmert III from comment #1)
> Fixed in 2.18.2.

... which is in Thunderbird 91.3.2.
Comment 3 Larry the Git Cow gentoo-dev 2022-08-10 04:18:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=8856093f804feeda5fe9097d49ba3307aaefc9c2

commit 8856093f804feeda5fe9097d49ba3307aaefc9c2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 04:08:55 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:17:36 +0000

    [ GLSA 202208-14 ] Mozilla Thunderbird: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/794085
    Bug: https://bugs.gentoo.org/802759
    Bug: https://bugs.gentoo.org/807943
    Bug: https://bugs.gentoo.org/811912
    Bug: https://bugs.gentoo.org/813501
    Bug: https://bugs.gentoo.org/822294
    Bug: https://bugs.gentoo.org/828539
    Bug: https://bugs.gentoo.org/831040
    Bug: https://bugs.gentoo.org/833520
    Bug: https://bugs.gentoo.org/834805
    Bug: https://bugs.gentoo.org/845057
    Bug: https://bugs.gentoo.org/846596
    Bug: https://bugs.gentoo.org/849047
    Bug: https://bugs.gentoo.org/857048
    Bug: https://bugs.gentoo.org/864577
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-14.xml | 165 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 04:23:20 UTC 
GLSA released, all done!