Bug 23415

Summary: thunderbird-enigmail new security issue fixed upstream in 2.0.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, lists.jjorge, marja11, mhrambo3501, nicolas.salguero, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: thunderbird CVE:
Status comment:

Description David Walser 2018-08-09 19:57:45 CEST 
Enigmail 2.0.8 has been released on August 4:
https://www.enigmail.net/index.php/en/download/changelog

openSUSE has issued an advisory for this today (August 9):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00050.html

Mageia 5 and Mageia 6 are also affected.
Comment 1 Marja Van Waes 2018-08-09 21:01:51 CEST 
Assigning to the registered maintainer, CC'ing some committers.

CC: (none) => geiger.david68210, lists.jjorge, marja11, mrambo, nicolas.salguero
Assignee: bugsquad => doktor5000

Comment 2 Mike Rambo 2018-08-15 17:51:54 CEST 
Note that mga5 was attempted but failed to build.

Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated thunderbird package fixes security vulnerabilities:

* Spoofing of Email signatures I: GnuPG 2.2.8 fixed a security bug that allows remote attackers to spoof arbitrary email signatures via the embedded "--filename" parameter in OpenPGP literal data packets. This release of Enigmail prevents the exploit for all versions of GnuPG, i.e. also if GnuPG is not updated (CVE-2018-12020).

*Spoofing of Email signatures II: The signature verification routine in Enigmail interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (CVE-2018-12019).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
https://www.enigmail.net/index.php/en/download/changelog
https://lists.opensuse.org/opensuse-updates/2018-08/msg00050.html
========================

Updated packages in core/updates_testing:
========================
thunderbird-52.9.1-1.1.mga6
thunderbird-enigmail-52.9.1-1.1.mga6

from thunderbird-52.9.1-1.1.mga6.src.rpm

Assignee: doktor5000 => qa-bugs
Version: Cauldron => 6

Comment 3 Herman Viaene 2018-08-17 11:27:20 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, overwriting previous version.
Tested normal mail functions, OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2018-08-23 21:33:25 CEST 
Have been using this on 64-bit for several days now, though I don't use enigmail.

Everything I use is working as expected. OK-ing, and validating.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-32-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Andrews 2018-08-23 21:39:51 CEST

Whiteboard: MGA6-32-OK MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Thomas Backlund 2018-08-24 00:31:40 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2018-08-24 01:36:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0354.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED