# tentatively lowering severity, but I still think it's a security risk
severity 739828 important
tags 739828 + security
# the referenced upstream bug seems unrelated to this?
notforwarded 739828
notfixed 739828 enigmail/2:1.6-1
# issue is still there
found 739828 2:1.7.2-1~deb7u1


Sorry for leaving this bug unanswered so long.  I don't much use
enigmail/icedove any more.  But I checked today with the latest enigmail
in wheezy that this issue is still present.

I notice something new I didn't realise before.  One of the attachments
in the mail (ForwardedMessage.eml) *was* signed by me (in the detached
signature.asc, also attached), and that's the signature really being
verified here.  The attach screenshot illustrates this.

The problem is that the first/main part of the message
(see https://lists.debian.org/debian-bsd/2014/02/msg00244.html)
is not signed at all.  Anything could be written there, the headers
could be forged, and the user interface would still show green / "Good
signature from <...>".

(The timestamp of the signature at the top, and list of attachments at
the bottom are not expanded/shown by default).

An imposter would simply attach an old, legitimately signed mail from
the sender to be spoofed, and enigmail would make the whole mail appear
to be genuine.

Steven Chamberlain

Attachment: signature.asc
Description: OpenPGP digital signature

Pkg-mozext-maintainers mailing list

Reply via email to