Yes, I am aware of this issue ... however, I have not yet verified if sarge version is affected. If so it should definitly get a security update.
On Fri, Jan 12, 2007 at 10:59:32AM +0100, Debian Bugreport Mailaddress wrote: > Package: mozilla-thunderbird-enigmail > Version: 2:0.91-4sarge2 > Severity: grave > > Enigmail has had a serious bug for a long time, see > http://bugzilla.mozdev.org/show_bug.cgi?id=9730 for details. > > An attacker can send properly crafted encrypted emails to the enigmail > user that will crash the receiver's instance of thunderbird. > > Whether it is possible to inject code or to access the user's passphrase > using this aproach is unclear. > > A patch fixing the issue appeared on the enigmail mailing list. The > latest enigmail release (from yesterday, version v0.94.2) fixes the issue). > > I believe this bug justifies a security updates to sarge and etch. > > Regards, > Tobias > > Patrick Brunschwig's patch: > > Index: enigmail.js > =================================================================== > RCS file: /cvs/enigmail/src/package/enigmail.js,v > retrieving revision 1.190 > diff -u -r1.190 enigmail.js > --- enigmail.js 8 Jul 2006 16:16:50 -0000 1.190 > +++ enigmail.js 11 Jan 2007 10:33:04 -0000 > @@ -883,9 +883,6 @@ > > DEBUG_LOG("enigmail.js: EnigmailProtocolHandler.newChannel: > messageURL="+messageUriObj.originalUrl+", "+contentType+", > "+contentCharset+"\n"); > > - if (!messageUriObj.persist) > - delete gEnigmailSvc._messageIdList[messageId]; > - > } else { > > contentType = "text/plain"; > - Alexander p.s. please take care that the bug is listed as To: or CC: when replying to this mail (e.g. /reply-all/). -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]