643490 – (CVE-2017-17843, CVE-2017-17844, CVE-2017-17845, CVE-2017-17846, CVE-2017-17847, CVE-2017-17848) <x11-plugins/enigmail-2.0.8-r1: Multiple vulnerabilities

Bug 643490 (CVE-2017-17843, CVE-2017-17844, CVE-2017-17845, CVE-2017-17846, CVE-2017-17847, CVE-2017-17848) - <x11-plugins/enigmail-2.0.8-r1: Multiple vulnerabilities

Summary: <x11-plugins/enigmail-2.0.8-r1: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-17843, CVE-2017-17844, CVE-2017-17845, CVE-2017-17846, CVE-2017-17847, CVE-2017-17848

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://sourceforge.net/p/enigmail/bu...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-01-04 21:27 UTC by GLSAMaker/CVETool Bot
Modified:	2019-03-26 20:44 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-01-04 21:27:41 UTC

CVE-2017-17848 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17848):
  An issue was discovered in Enigmail before 1.9.9. In a variant of
  CVE-2017-17847, signature spoofing is possible for multipart/related
  messages because a signed message part can be referenced with a cid: URI but
  not actually displayed. In other words, the entire containing message
  appears to be signed, but the recipient does not see any of the signed text.

CVE-2017-17847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17847):
  An issue was discovered in Enigmail before 1.9.9. Signature spoofing is
  possible because the UI does not properly distinguish between an attachment
  signature, and a signature that applies to the entire containing message,
  aka TBE-01-021. This is demonstrated by an e-mail message with an attachment
  that is a signed e-mail message in message/rfc822 format.

CVE-2017-17846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17846):
  An issue was discovered in Enigmail before 1.9.9. Regular expressions are
  exploitable for Denial of Service, because of attempts to match arbitrarily
  long strings, aka TBE-01-003.

CVE-2017-17845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17845):
  An issue was discovered in Enigmail before 1.9.9. Improper Random Secret
  Generation occurs because Math.Random() is used by pretty Easy privacy
  (pEp), aka TBE-01-001.

CVE-2017-17844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17844):
  An issue was discovered in Enigmail before 1.9.9. A remote attacker can
  obtain cleartext content by sending an encrypted data block (that the
  attacker cannot directly decrypt) to a victim, and relying on the victim to
  automatically decrypt that block and then send it back to the attacker as
  quoted text, aka the TBE-01-005 "replay" issue.

CVE-2017-17843 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17843):
  An issue was discovered in Enigmail before 1.9.9 that allows remote
  attackers to trigger use of an intended public key for encryption, because
  incorrect regular expressions are used for extraction of an e-mail address
  from a comma-separated list, as demonstrated by a modified Full Name field
  and a homograph attack, aka TBE-01-002.