REDHAT-BUG-973728
First published: Wed Jun 12 2013(Updated: )
Description of problem: Hi, this is actually not a RedHat/Fedora bug, it's an Evolution issue but the GNOME bugzilla doesn't seem to support reporting security/private bugs so Milan asked me to report here. When selecting the key for GPG-encrypted mail, Evolution seems to do: gpg --encrypt -r address This is actually a bad idea, because it matches every userid including address (wether in the first or last name, in the comment or in the email address). What makes it worse is that gpg returns the first match, so in case something else matches the email address given (for example name instead of first.name), then the mail will be encrypted to the *wrong* recipient. This looks like a security issue to me, thus marking it as such and reporting it. If you disagree, feel free to change that. In the gpg manpage there's an explanation about how userid can be selected, and for example: By exact match on an email address. This is indicated by enclosing the email address in the usual way with left and right angles. <heinrichh> So the angles should be added to the command line used by Evolution. Note that this still won't work if multiple keys match that email address. Maybe Evolution should do the same as mutt, which seems to first search (using I guess gpg --list) the keys matching a query, then ask the user to select the uid. This would make sure the user actually knows to what recipient the mail is encrypted to. And also note that, right now, there's no way to encrypt the mail to the correct recipient but to delete the key from the keyring. Version-Release number of selected component (if applicable): Evolution 3.8.2 How reproducible: Always Steps to Reproduce: 1. create keys for multiple recipient with matching email addresses (test and foo-test) 2. try to write gpg encrypted mail to both addresses Actual results: Mail is always encrypted to the first matching user id.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNOME Evolution |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.gnome.org/browse/evolution-data-server/commit/?id=5d8b92c622f6927b253762ff9310479dd3ac627d
- https://git.gnome.org/browse/evolution-data-server/commit/?h=gnome-3-8&id=f7059bb37dcce485d36d769142ec9515708d8ae5
- http://www.openwall.com/lists/oss-security/2013/07/21/2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=987108
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=973728#c5
- https://access.redhat.com/security/cve/CVE-2013-4166
- http://seclists.org/oss-sec/2013/q3/191
- https://rhn.redhat.com/errata/RHSA-2013-1540.html
- https://access.redhat.com/support/policy/updates/errata/
- https://bugzilla.redhat.com/show_bug.cgi?id=973728
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4166
- agent/severity
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/type
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gnome
- canonical/gnome evolution