520452 – (CVE-2014-5369) <mail-client/thunderbird[crypt]-31.2.0: Multiple vulnerabilities (CVE-2014-5369)

Bug 520452 (CVE-2014-5369) - <mail-client/thunderbird[crypt]-31.2.0: Multiple vulnerabilities (CVE-2014-5369)

Summary: <mail-client/thunderbird[crypt]-31.2.0: Multiple vulnerabilities (CVE-2014-5369)

Status:	RESOLVED FIXED

Alias:	CVE-2014-5369

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	http://seclists.org/oss-sec/2014/q3/436
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-08-22 07:25 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2016-11-23 08:44 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-22 07:25:50 UTC

From ${URL}:
> http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

This seems to discuss at least two non-identical issues.

http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#b315
and http://sourceforge.net/p/enigmail/bugs/294/ are about "an email
with only Bcc recipients is sent in plain text." This is assigned
CVE-2014-5369.

http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#10f1
and
http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#0a5a
are about one or more issues in which there is unexpected cleartext
e-mail transmission unrelated to use of Bcc. This perhaps requires a
non-default configuration. It is conceivable -- although perhaps
unlikely -- that the problem is a UI bug (e.g., an encryption choice
is presented even when the product is configured to never use
encryption). In any case, none of this has a CVE assignment yet. There
isn't enough information to determine whether to assign zero, one, or
two additional CVE IDs. The scope of CVE-2014-5369 is only the
behavior that occurs when all recipients are Bcc recipients.

Finally, these are additional (possibly related) references that
haven't yet been mentioned on oss-security:

  http://sourceforge.net/p/enigmail/bugs/290/
  http://twitter.com/mtigas/statuses/494228366028210176/photo/1

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-22 07:44:15 UTC

The CVE-2014-5369 issue has already been fixed in 1.7.1 and 1.8.0. Still waiting for more information on the other vulnerabilities, but users should beware the potential information leak and take the necessary precautions. 

The discussion thread was started at http://seclists.org/oss-sec/2014/q3/394 for some additional information.

Comment 2 Ian Stakenvicius (RETIRED) gentoo-dev

2014-08-22 13:36:37 UTC

(In reply to Kristian Fiskerstrand from comment #1)
> The CVE-2014-5369 issue has already been fixed in 1.7.1 and 1.8.0. 

...but there is no release of enigmail above 1.7 .. are these releases still pending?

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-22 13:44:19 UTC

(In reply to Ian Stakenvicius from comment #2)
> (In reply to Kristian Fiskerstrand from comment #1)
> > The CVE-2014-5369 issue has already been fixed in 1.7.1 and 1.8.0. 
> 
> ...but there is no release of enigmail above 1.7 .. are these releases still
> pending?

Affirmative, I should be more precise. These are not released yet, but they are included in development for future release.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-23 02:31:11 UTC

This was fixed via https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/mail-client/thunderbird/thunderbird-31.2.0.ebuild?hideattic=0&view=log


@ Security: Please vote!

Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-11-23 08:44:26 UTC

GLSA Vote: No