Your message dated Sun, 10 May 2015 17:17:07 +0000
with message-id <[email protected]>
and subject line Bug#784712: fixed in semi 1.14.7~0.20120428-14+deb8u1
has caused the Debian Bug report #784712,
regarding semi: incorrect keys in encryption
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
784712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784712
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: semi
Version: 1.14.7~0.20120428-14
Severity: important
Tags: jessie security
It was discovered that SEMI, an Emacs library to provide MIME
features, did not properly implement recipients matching to encrypt
mails. This may allow unrelated person may decrypt the mails.
cf.
- http://thread.gmane.org/gmane.mail.wanderlust.general.japanese/9819
From: Michael Welle
> I discovered strange behaviour while trying to encrypt mails (Emacs
> 24.4.1, SEMI is the current version from the melpa archive). The key
> ids that are fed to gpg are mostly totally unrelated to the mail's
> recipient. The problem seems to be in mime-edit.el. In
> mime-edit-encrypt-pgp-mime a recipient list is calculated. A to-header
> like 'foo bar <[email protected]>' is therefore parsed into three elements 'foo',
> 'bar' and '[email protected]', which results in three key ids (depending on the
> contents of your key ring). Unfortunately, the key ids resulting from
> 'foo' and 'bar' are unrelated to this mail in my case (tons of
> different keys can be found for foo). And even the key found for
> [email protected] might not be the one one want to use.
>
> As a work around one can use plain mail addresses like '[email protected]'.
Fixed in
https://github.com/wanderlust/semi/commit/9976269556c5bcc021e4edf1b0e1accd39929528
- https://github.com/wanderlust/semi/issues/9
From: Tatsuya Kinoshita
> With SEMI-EPG 2015-05-03 and Wanderlust 2015-03-08, in encryption,
> a mail with To: [email protected] chooses [email protected]'s key when
> the foolowing keys are imported.
>
> - 1024D/97AA33D6 Dima Barsky <[email protected]>
> - 1024D/1A944AD7 Martin Albert <[email protected]>
>
> It seems not exact match on an email address.
Fixed in
-
https://github.com/wanderlust/semi/commit/5c8466321d281d72850c298b9ebcd466b4b0160c
-
https://github.com/wanderlust/semi/commit/da44c8e0ea6baf5dac2b8debf86f720a541f31a5
The security team suggested that is rather a candidate for a fix in
a point update instead of a Debian Security Advisory.
Thanks,
--
Tatsuya Kinoshita
pgpqpZWeSkngC.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: semi
Source-Version: 1.14.7~0.20120428-14+deb8u1
We believe that the bug you reported is fixed in the latest version of
semi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuya Kinoshita <[email protected]> (supplier of updated semi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 08 May 2015 09:09:01 +0900
Source: semi
Binary: semi
Architecture: source all
Version: 1.14.7~0.20120428-14+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Tatsuya Kinoshita <[email protected]>
Changed-By: Tatsuya Kinoshita <[email protected]>
Description:
semi - library to provide MIME feature for emacsen
Closes: 784712
Changes:
semi (1.14.7~0.20120428-14+deb8u1) jessie; urgency=medium
.
* New patch 020_encrypt.patch to fix incorrect keys in encryption
(closes: #784712)
Checksums-Sha1:
afa3c13f88361db5cc28427485b1073f2966d0aa 1956
semi_1.14.7~0.20120428-14+deb8u1.dsc
3196031c1337a577972f0493fb7cb190ac3ff3cc 52040
semi_1.14.7~0.20120428-14+deb8u1.debian.tar.xz
3693ba49835ef239173129f1195b79fba6890c61 172562
semi_1.14.7~0.20120428-14+deb8u1_all.deb
Checksums-Sha256:
4552d6ceb2fba365cce82a9cf59d9fe0571d2c7e1ea896afcf11e5c20dd9576b 1956
semi_1.14.7~0.20120428-14+deb8u1.dsc
adcbec87dd581f36799904563977446490c47a9da3811d414b1ed7b4ccbefb99 52040
semi_1.14.7~0.20120428-14+deb8u1.debian.tar.xz
9827fb4e0f1fe5db54b631d67438d370cc83011f419aecc0eaab199f18876616 172562
semi_1.14.7~0.20120428-14+deb8u1_all.deb
Files:
a5df2bf8d63b05e1604858ffb67fb3ad 1956 lisp extra
semi_1.14.7~0.20120428-14+deb8u1.dsc
b6fc33796cb358815c01c92ebc054ebe 52040 lisp extra
semi_1.14.7~0.20120428-14+deb8u1.debian.tar.xz
3845082339c0fa99736d3ec0f2ecffad 172562 lisp extra
semi_1.14.7~0.20120428-14+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVTAt1AAoJEOXvq5AIDqY8iYQQAJjW+5uw9pvqLromEwUskV6D
afZ54YVzlcg7DWk4FsKte16NdkmwrC/TmE9RYN2UuHjcwaB6ZX1+fDebvshTwwCk
DOvy4KwusbtFjsG9PsxyqODOEvV+OsizU86f10HAwQp2I2etajkH5JVkqnGRdQZt
HI6mZw98irk2XsqPBT2kOhu4GH31ns8uoLlFakDBBqjoVM6vcThdElhMT11ElDWT
lTfi0WBgp7zisA2iCviao2Z9SD2CZNZyTSqnX/0TLpjQLoAFkWrtHTtobvFlDg4i
4dQi69Bo4xNA/XvLTfvUwHIZopPKHpGxan3GIy2UcnSUyKZ9CK4BdkuBSamIALGl
+u8ykFdb7CVOiMPXAojyEKS+ms66Q2ECTJovGM3Q4i+60J6/Xn+GgWanhVVnyW85
iBmDXfxM/D4bi+18zmA1V3mjRRVFLN6W1pqEYl0FRM9P/Sd9PInb5cbmrkD3mKf1
WllOK522T1yUZXk/zwC7hm1iEfY8WDYWj67lh3DSi2XAkEgzfmU2VLTh5c29ZyE6
4wV66diUYVKPf27FZydc5yRK+jIOcpou9xyx49xJPC4m4o3S0f2fjFlMsAOVNNBy
hjI1r8VON+qoHmmHEdJa28x7UD1c9bBghdkgv09doWj9q7zKcLX2S6Ye7JHfyijz
Vy2Ci9MN8ZBp4eAv7AZt
=FVtT
-----END PGP SIGNATURE-----
--- End Message ---
