Thanks very much for this work, Patrick!  And thanks to Posteo and
Mozilla for funding this research.

On Tue 2017-12-19 08:45:29 +0100, Patrick Brunschwig wrote:
> [1]
> <https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf>
> [2] <https://sourceforge.net/p/enigmail/bugs/709/>

Are there CVE numbers assigned to these?

I see 6 vulnerabilities listed that seem CVE-worthy to me:

 * TBE-01-002 Enigmail: Weak Parsing Causes Confidentiality Compromise 
(Critical)

    (the description of this one is a bit confused -- it's not clear who
     is sending the e-mail, or who the attacker is, or how the message
     is specifically encrypted.  it also references TB-01-004, which
     isn't listed in the excerpt)

 * TBE-01-005 Enigmail: Replay of encrypted Contents leads to Plaintext Leak 
(High)

 * TBE-01-021 Enigmail: Flawed parsing allows faked Signature Display (Critical)

 * TBE-01-001 Enigmail: Insecure Random Secret Generation (Low)

 * TBE-01-003 Enigmail: Regular Expressions Exploitable for Denial of Service 
(Low)

 * https://sourceforge.net/p/enigmail/bugs/709/  Enigmail: Signature Spoofing 
Attacks using multipart/related 

---------


If you've already got CVEs assigned, can you report them?  If you don't,
and you want to request them yourself, you can get them here:

   https://cveform.mitre.org/

If you don't want to bother, i can request CVEs for you and report back
on-list.

Please let me know what you prefer to do about getting CVEs here!

       --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Reply via email to