Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 729596 (CVE-2019-10734, CVE-2020-15047) - <mail-client/trojita-0.7-r4: Multiple vulnerabilities (CVE-2019-10734, CVE-2020-15047)
Summary: <mail-client/trojita-0.7-r4: Multiple vulnerabilities (CVE-2019-10734, CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2019-10734, CVE-2020-15047
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.kde.org/show_bug.cgi?id=...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 730058
Blocks: 807352
  Show dependency tree
 
Reported: 2020-06-25 11:17 UTC by Agostino Sarubbo
Modified: 2021-08-10 01:46 UTC (History)
2 users (show)

See Also:
Package list:
mail-client/trojita-0.7-r4
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2020-06-25 11:17:55 UTC
From https://www.openwall.com/lists/oss-security/2020/06/25/1 :

Hi folks, I would appreciate a Cc on responses as I'm not subscribed to 
this list. I would like to request a CVE for the following vulnerability:

Summary
-------

Damian Poddebniak discovered a TLS verification failure (CWE-295) in 
Trojitá [1], a fast Qt IMAP e-mail client. When sending e-mails over SMTP, 
all TLS errors were ignored.

Background
----------

Trojita first gained support for SMTP submission in patch 0083eea5ed [2]. 
Since that commit (May 2009), there's been a FIXME comment in the code that 
SSL errors should be handled properly. Unfortunately, this issue kept 
falling through the cracks and we never re-enabled TLS validation as the 
SMTP backend matured. As a result, outgoing SMTP connections were 
suspectible to a MITM attack, with authentication details including 
passwords and the message content potentially available to attackers.

IMAP connections are not suspectible to this bug.

Affected versions
-----------------

All versions of Trojita up to and including v0.7 are affected. The fix [3] 
will be included in version v0.8 which will be released once the CVE gets 
assigned.

Acknowledgement
---------------

Thanks to Damian Poddebniak for reporting [4] this bug.

[1] http://trojita.flaska.net/
[2] https://invent.kde.org/pim/trojita/-/commit/0083eea5ed
[3] https://gerrit.vesnicky.cesnet.cz/r/1035
[4] https://bugs.kde.org/show_bug.cgi?id=423453

With kind regards,
Jan

-- 
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2020-06-25 12:12:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=835ed520d32ad8721f0fa83b81432f244a14f187

commit 835ed520d32ad8721f0fa83b81432f244a14f187
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-06-25 12:08:06 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-06-25 12:11:30 +0000

    mail-client/trojita: Fix improper certificate validation
    
    Bug: https://bugs.gentoo.org/729596
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../files/trojita-0.7-smtp-handle-tls-errors.patch | 82 +++++++++++++++++++++
 mail-client/trojita/trojita-0.7-r3.ebuild          | 83 ++++++++++++++++++++++
 2 files changed, 165 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-25 12:14:14 UTC
Stable?
Comment 3 Andreas Sturmlechner gentoo-dev 2020-06-25 22:38:43 UTC
Now that it was merged to master, sure.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-28 21:05:20 UTC
Nobody has stabled this yet, so let's reuse the bug for the imminently-patched CVE-2019-10734.

* CVE-2019-10734

Description:
"In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH Münster, Germany we discovered a security issue in Trojitá: An attacker who is in possession of PGP or S/MIME encrypted messages can embed them into a multipart message and re-send them to the intended receiver. When the message is read and decrypted by the receiver, the attacker's content is shown. If the victim replies, the plaintext is leaked to an attacker's email address. The root cause for these vulnerabilities lies in the way Trojitá (and many other mail clients) handle partially encrypted multipart messages."

See https://bugs.kde.org/show_bug.cgi?id=404697. Thanks to asturm for pointing this out.
Comment 5 Larry the Git Cow gentoo-dev 2020-06-28 21:55:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a89ecdd740bdd213af85f03950fdcdaeef4a12ec

commit a89ecdd740bdd213af85f03950fdcdaeef4a12ec
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-06-28 20:47:13 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-06-28 21:55:22 +0000

    mail-client/trojita: Fix CVE-2019-10734
    
    KDE-bug: https://bugs.kde.org/show_bug.cgi?id=404697
    Bug: https://bugs.gentoo.org/729596
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../trojita/files/trojita-0.7-CVE-2019-10734.patch | 104 +++++++++++++++++++++
 mail-client/trojita/trojita-0.7-r4.ebuild          |  84 +++++++++++++++++
 2 files changed, 188 insertions(+)
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-29 13:35:26 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-29 13:40:57 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Larry the Git Cow gentoo-dev 2020-06-29 17:36:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dcb5b60c52945652edc27aa1505e0c48760d49

commit 29dcb5b60c52945652edc27aa1505e0c48760d49
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-06-29 17:25:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-06-29 17:36:43 +0000

    mail-client/trojita: Cleanup vulnerable 0.7-r2
    
    Bug: https://bugs.gentoo.org/729596
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 mail-client/trojita/trojita-0.7-r2.ebuild | 82 -------------------------------
 1 file changed, 82 deletions(-)
Comment 9 Andreas Sturmlechner gentoo-dev 2020-06-30 19:41:34 UTC
kde proj is done here, anyway.
Comment 10 NATTkA bot gentoo-dev 2020-06-30 20:00:31 UTC
Unable to check for sanity:

> no match for package: mail-client/trojita-0.7-r4