Re: CVE Request: evolution mail client GPG key selection issue

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/21/2013 02:02 PM, Yves-Alexis Perez wrote:
> Hi,
>
> an issue with security impact was recently fixed in Evolution.
> More details can be found on the Red Hat bug report at 
> https://bugzilla.redhat.com/show_bug.cgi?id=973728 but it
> basically boils down to a wrong selection when choosing the the
> keyid for a destination email address.
>
> Basically, when you have multiple keys in the keyrings, with
> overlapping email addresses (like foo () example com and
> foobar () example com), you can end up (silently) encrypting to the
> wrong recipient.
>
> It actually happened to me when forwarding embargoed security
> issues so it can happen in real life. Now the wrong recipient would
> need to actually obtain a copy of the sent mail (since it's sent to
> the correct recipient, not the wrong one), but I still think it
> warrants a CVE.
>
> Quick fix was to use the documented format for email searches in
> GnuPG (using <> around email addresses) but a more complete fix for
> explicit key selection should appear some time in the future.
>
> Regards,

Yeah this was discussed internally a bit at Red Hat after you filed
the bug, it's a messy problem. I think one concern was where do you
want to place policy decisions for key usage and trust, in GPG, in the
app using it, or something else? One concern I have is I sometimes
used to (not any more!) download all the signing keys for keys I was
using to see if I could establish a web of trust. Of course anyone can
sign someone elses key and upload that to the public key servers, so
then the potential for grabbing a key from a bad guy increases
significantly.

Any ways for evolutions please use CVE-2013-4166 for this issue. Has
anyone checked other popular mail clients like thunderbird/mutt/etc?


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR8OX7AAoJEBYNRVNeJnmT+hQQAMh1vNoTyxu/d5sQidn571z1
2ZGVu07Z+1tFNgHlH1cLNIfw7bnPTy4SydyGFnXdHw4XSFwp52glS0FYYyhyLhwv
tsFP0QSQc6jBpcETM9voHTdELHbAGySoY5TZV8gXeLoiboJ+dhCCmJhmCVxlQqgr
Q+ae+bR4UcNNZ3TLKIaJbKm+TJdULiGar1iHMXiIYpR+66uekrcCM3uL3yjhgnwk
7+zp8haLv8d2mOUGAkFfsg2Jku/bLnCj4/vRK10EV61pwzkW2/C2lBUhCKpGAEMQ
6o6UkulgZaIP0kRtdNk+tYZAFbzhqiRxyDlXCxmJwRu+p0nJ1OY8Bf3i3oPGeVHq
NpMwRbpDAyzYPZTVgvQfdr+GTOaikwbdH37zI8tUk5MXnXSMwDmvOt4nmziCtzK0
rU+DA6p1BQGgDMSc5LNFAp26H70SdIUo1CssoWhTC06Z2nk8LebPfgwCQ6weoyoR
InNhmXiCCEwfpOuOEXJ4gWDEL9CxaM1dUpa66QyICFhgLtz7ySJCYMXKAgqhzkk2
vEWEMmAkwMmW9SZaoW3ddhHL8UI1/KB25MhC5icRT89L7ZGr9fGqvLKVsVQWTV1L
s68r9o2ChxcMpU/hLul2nHvB36hlBrfLoFZYEl9aTY+p9oOQKrcpffLlOJGJS1eq
Lap0JhAntso2FN2hciB8
=UVD4
-----END PGP SIGNATURE-----