Your message dated Thu, 27 Oct 2005 20:31:43 +0200
with message-id <[EMAIL PROTECTED]>
and subject line security issue is already fixed in unstable ... go to testing!
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Oct 2005 17:07:05 +0000
>From SRS0=kh/[EMAIL PROTECTED] Tue Oct 25 10:07:05 2005
Return-path: <SRS0=kh/[EMAIL PROTECTED]>
Received: from moutng.kundenserver.de [212.227.126.186]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EUSGP-0007W6-00; Tue, 25 Oct 2005 10:07:05 -0700
Received: from c136090.adsl.hansenet.de [213.39.136.90]
(helo=senica.personalfree.com)
by mrelayeu.kundenserver.de with ESMTP (Nemesis),
id 0ML21M-1EUSGN3lhs-0001N5; Tue, 25 Oct 2005 19:07:03 +0200
Received: from [10.0.1.2] (helo=hanson ident=Debian-exim)
by senica.personalfree.com with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1EUSGL-00046T-H8; Tue, 25 Oct 2005 19:07:01 +0200
Received: from alex by hanson with local (Exim 4.54)
id 1EUSGL-0000zY-80; Tue, 25 Oct 2005 19:07:01 +0200
Content-Type: multipart/mixed; boundary="===============0626480308=="
MIME-Version: 1.0
From: Alexander Sack <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: security issue in enigmail package (CAN-2005-3256)
X-Mailer: reportbug 3.17
Date: Tue, 25 Oct 2005 19:07:01 +0200
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-Provags-ID: kundenserver.de [EMAIL PROTECTED]
login:cbe77bd78e1b43e9d8afa4235a070258
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-10.9 required=4.0 tests=BAYES_00,HAS_PACKAGE,
MIME_SUSPECT_NAME,X_DEBBUGS_CC autolearn=ham
version=2.60-bugs.debian.org_2005_01_02
This is a multi-part MIME message sent by reportbug.
--===============0626480308==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: enigmail
Version: 2:0.91-4
Severity: critical
Tags: security patch
If there is a key on your keyring, that has an empty UID (no name,
e-mail address, etc.), mail may be encrypted to that UID, although the
recipient was not choosen by the user. This may lead to disclosure of
confidential data to others.
This is CAN-2005-3256.
Patch received from upstream is attached.
- asac
--===============0626480308==
Content-Type: text/x-c++; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="security-patch.txt"
---
/cygdrive/f/Enigmail/source/enigmail/src/ui/content/enigmailUserSelection.js
2005-06-01 17:08:40.578115200 +0200
+++ ./enigmailUserSelection.js 2005-09-08 07:18:44.896859200 +0200
@@ -154,6 +154,8 @@
return r;
}
+ var emptyUid = " -"; // replace with localizable string
+
window.arguments[RESULT].cancelled=true;
var secretOnly = (window.arguments[INPUT].options.indexOf("private")>= 0);
@@ -249,6 +251,9 @@
aUserList.push(userObj);
break;
case "uid":
+ if (listRow[USER_ID].length == 0) {
+ listRow[USER_ID] = emptyUid;
+ }
if (typeof(userObj.userId) != "string") {
userObj.userId=EnigConvertGpgToUnicode(listRow[USER_ID].replace(/\\e3A/g, ":"));
}
@@ -337,7 +342,7 @@
escapedMailAddr=mailAddr.replace(escapeRegExp, "\\$1");
s1=new RegExp("[, ]?"+escapedMailAddr+"[, ]","i");
s2=new RegExp("[, ]"+escapedMailAddr+"[, ]?","i");
- if (invalidAddr.indexOf(" "+mailAddr+" ")<0) {
+ if ((mailAddr != emptyUid) && (invalidAddr.indexOf(" "+mailAddr+"
")<0)) {
aValidUsers.push(mailAddr);
aUserList[i].activeState =(toAddr.search(s1)>=0 ||
toAddr.search(s2)>=0) ? 1 : 0;
}
@@ -368,7 +373,7 @@
escapedMailAddr=mailAddr.replace(escapeRegExp, "\\$1");
s1=new RegExp("[, ]?"+escapedMailAddr+"[, ]","i");
s2=new RegExp("[, ]"+escapedMailAddr+"[, ]?","i");
- if (toAddr.search(s1)>=0 || toAddr.search(s2)>=0) {
+ if ((mailAddr != emptyUid) && (toAddr.search(s1)>=0 ||
toAddr.search(s2)>=0)) {
aUserList[i].activeState = 1;
}
}
--===============0626480308==--
---------------------------------------
Received: (at 335731-done) by bugs.debian.org; 27 Oct 2005 19:19:54 +0000
>From [EMAIL PROTECTED] Thu Oct 27 12:19:54 2005
Return-path: <[EMAIL PROTECTED]>
Received: from moutng.kundenserver.de [212.227.126.188]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EVDI2-00083z-00; Thu, 27 Oct 2005 12:19:54 -0700
Received: from d229183.adsl.hansenet.de [80.171.229.183]
(helo=senica.personalfree.com)
by mrelayeu.kundenserver.de with ESMTP (Nemesis),
id 0MKxQS-1EVDI11A9x-0004Ld; Thu, 27 Oct 2005 21:19:53 +0200
Received: from [10.0.1.2] (helo=hanson ident=Debian-exim)
by senica.personalfree.com with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1EVDHz-0007q4-Bs
for [EMAIL PROTECTED]; Thu, 27 Oct 2005 21:19:51 +0200
Received: from alex by hanson with local (Exim 4.54)
id 1EVDHz-0002yZ-Oy
for [EMAIL PROTECTED]; Thu, 27 Oct 2005 21:19:51 +0200
Resent-From: Alexander Sack <[EMAIL PROTECTED]>
Resent-Date: Thu, 27 Oct 2005 21:19:51 +0200
Resent-Message-ID: <[EMAIL PROTECTED]>
Resent-To: [EMAIL PROTECTED]
Date: Thu, 27 Oct 2005 20:31:43 +0200
From: Alexander Sack <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: security issue is already fixed in unstable ... go to testing!
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
Resent-Date: Thu, 27 Oct 2005 21:19:51 +0200
X-Provags-ID: kundenserver.de [EMAIL PROTECTED]
login:cbe77bd78e1b43e9d8afa4235a070258
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
Version: 2:0.93-1
this issue is fixed in unstable, so let it in!
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
[EMAIL PROTECTED] | `. `' Operating System
http://www.jwsdot.com/ | `- http://www.debian.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
