Thanks very much for this work, Patrick!  And thanks to Posteo and
Mozilla for funding this research.

On Tue 2017-12-19 08:45:29 +0100, Patrick Brunschwig wrote:
> [1]
> <>
> [2] <>

Are there CVE numbers assigned to these?

I see 6 vulnerabilities listed that seem CVE-worthy to me:

 * TBE-01-002 Enigmail: Weak Parsing Causes Confidentiality Compromise 

    (the description of this one is a bit confused -- it's not clear who
     is sending the e-mail, or who the attacker is, or how the message
     is specifically encrypted.  it also references TB-01-004, which
     isn't listed in the excerpt)

 * TBE-01-005 Enigmail: Replay of encrypted Contents leads to Plaintext Leak 

 * TBE-01-021 Enigmail: Flawed parsing allows faked Signature Display (Critical)

 * TBE-01-001 Enigmail: Insecure Random Secret Generation (Low)

 * TBE-01-003 Enigmail: Regular Expressions Exploitable for Denial of Service 

 *  Enigmail: Signature Spoofing 
Attacks using multipart/related 


If you've already got CVEs assigned, can you report them?  If you don't,
and you want to request them yourself, you can get them here:

If you don't want to bother, i can request CVEs for you and report back

Please let me know what you prefer to do about getting CVEs here!


Attachment: signature.asc
Description: PGP signature

enigmail-users mailing list
To unsubscribe or make changes to your subscription click here:

Reply via email to