Your message dated Wed, 07 Mar 2018 16:19:26 +0000
with message-id <e1etbmo-0002dj...@fasolo.debian.org>
and subject line Bug#891882: fixed in enigmail 2:2.0~beta2-1
has caused the Debian Bug report #891882,
regarding enigmail 2.0~beta1 runs unsandboxed code (pepmda) from the Internet 
without prompting the user
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
891882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891882
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: enigmail
Version: 2:2.0~beta1-1
Severity: normal

enigmail 2.0 downloads pepmda from the internet by default, even for
users who have not opted into using pep.  This includes the following
files, which either duplicate code already in debian, or which we
don't have source for in debian:

  3589171  28708 -rwxr-xr-x   1 tst      tst      29394216 Feb 25 14:48 
pepmda/bin/pep-json-server
  3589180      4 -rw-r--r--   1 tst      tst          1206 Feb 25 14:49 
pepmda/release.json
  3589178  18816 -rw-r--r--   1 tst      tst      19267584 Feb 25 14:48 
pepmda/share/pEp/system.db
  3589169      4 -rw-r--r--   1 tst      tst          1150 Feb 25 14:49 
pepmda/share/pEp/html/json-test.ico
  3589177      4 -rw-r--r--   1 tst      tst          2991 Feb 25 14:49 
pepmda/share/pEp/html/index.html
  3572660     20 -rw-r--r--   1 tst      tst         18104 Feb 25 14:49 
pepmda/share/pEp/html/interactive.js
  3589188     84 -rw-r--r--   1 tst      tst         85589 Feb 25 14:49 
pepmda/share/pEp/html/jquery-2.2.0.min.js
  3534200   4292 -rwxr-xr-x   1 tst      tst       4393056 Feb 25 14:48 
pepmda/lib/libetpan.so.17
  3589184    304 -rw-r--r--   1 tst      tst        308360 Feb 25 14:48 
pepmda/lib/libevent-2.0.so.5
  3589182    596 -rwxr-xr-x   1 tst      tst        610128 Feb 25 14:48 
pepmda/lib/libpEpEngine.so
  3572662   1796 -rw-r--r--   1 tst      tst       1835928 Feb 25 14:48 
pepmda/lib/libstdc++.so.6
  3589170     84 -rw-r--r--   1 tst      tst         85112 Feb 25 14:48 
pepmda/lib/libgpg-error.so.0
  3589189    284 -rw-r--r--   1 tst      tst        289192 Feb 25 14:48 
pepmda/lib/libgpgme.so.11
  3589185   1064 -rw-r--r--   1 tst      tst       1088904 Feb 25 14:48 
pepmda/lib/libsqlite3.so.0
  3589183    196 -rw-r--r--   1 tst      tst        198432 Feb 25 14:48 
pepmda/lib/libboost_thread.so.1.62.0
  3589174    108 -rw-r--r--   1 tst      tst        108816 Feb 25 14:48 
pepmda/lib/libz.so.1
  3589186     80 -rw-r--r--   1 tst      tst         81560 Feb 25 14:48 
pepmda/lib/libassuan.so.0
  3589172    608 -rw-r--r--   1 tst      tst        618832 Feb 25 14:48 
pepmda/lib/libboost_program_options.so.1.62.0
  3589179     96 -rw-r--r--   1 tst      tst         97392 Feb 25 14:48 
pepmda/lib/libgcc_s.so.1
  3589181    116 -rw-r--r--   1 tst      tst        116672 Feb 25 14:48 
pepmda/lib/libboost_filesystem.so.1.62.0
  3589173     24 -rw-r--r--   1 tst      tst         22288 Feb 25 14:48 
pepmda/lib/libuuid.so.1
  3589187     20 -rw-r--r--   1 tst      tst         18520 Feb 25 14:48 
pepmda/lib/libboost_system.so.1.62.0


I don't think it is appropriate for a package in debian; users can't
ensure that these packages are kept up-to-date (or that they meet
debian standards), and they don't necessarily have the free software
guarantees that they might expect, even if pep as distributed today is
entirely free software.

in particular, they are fetched by package/installPep.jsm, which pulls
the info about the p≡p library from
https://www.enigmail.net/service/getPepDownload.svc, which looks like
it permits the controller of https://www.enigmail.net/ to serve
arbitrary data (the fingerprints of the files to download are not
embedded in the enigmail source).

(there are other nagging technical details too, such as this profile
not working in a multiarch scenario, but those are secondary to the
software freedom and arbitrary code execution concerns above)

This appears to remain the situation in subsequent betas of enigmail,
so i'm going to raise the concern upstream.

I do not think this enigmail should make it into debian unstable with
this behavior.  While i'm trying to figure out a satisfactory solution
with upstream, i'll most likely try to patch this part out if i can
figure out how to do so cleanly.

   --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages enigmail depends on:
ii  gnupg                    2.2.5-1
ii  gnupg-agent              2.2.5-1
ii  gnupg2                   2.2.5-1
ii  gpg-agent [gnupg-agent]  2.2.5-1
ii  icedove                  1:52.4.0-1
ii  thunderbird              1:52.6.0-1+b1

Versions of packages enigmail recommends:
ii  pinentry-gnome3 [pinentry-x11]  1.1.0-1
ii  pinentry-gtk2 [pinentry-x11]    1.1.0-1
ii  pinentry-qt [pinentry-x11]      1.1.0-1

enigmail suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: enigmail
Source-Version: 2:2.0~beta2-1

We believe that the bug you reported is fixed in the latest version of
enigmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated enigmail 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Mar 2018 11:36:44 +0100
Source: enigmail
Binary: enigmail
Architecture: source
Version: 2:2.0~beta2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Mozilla Extension Maintainers 
<pkg-mozext-maintainers@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Description:
 enigmail   - GPG support for Thunderbird and Debian Icedove
Closes: 891882
Changes:
 enigmail (2:2.0~beta2-1) experimental; urgency=medium
 .
   * convert to DEP-14 branch naming schemes
   * point to upstream-experimental branch
   * drop patches applied upstream
   * import bugfix patches from upstream
   * Avoid auto-download of pEpEngine (Closes: #891882)
Checksums-Sha1:
 5f26dc3710482b979ea3ef75aeccf34954b6f2ee 1736 enigmail_2.0~beta2-1.dsc
 e620ed0c4d3f14b42f5213fa2a24e21d4e83003e 2434861 enigmail_2.0~beta2.orig.tar.gz
 15819c5d42d356a5b31b982da37b4679875adcd2 833 enigmail_2.0~beta2.orig.tar.gz.asc
 a19d56852085a8fe1bddfcab134133046038c617 142212 
enigmail_2.0~beta2-1.debian.tar.xz
 f1636be2fb7583ebf9c75bd1fb189da50a7d172a 6992 
enigmail_2.0~beta2-1_amd64.buildinfo
Checksums-Sha256:
 f0f999f969cbf5ffe46a7ba148a89801831477088baf9cea3658cd475c7a4799 1736 
enigmail_2.0~beta2-1.dsc
 f69183823d63b2cee5e1065e9c0e79308fcae38330bcd34e23399682c91aa632 2434861 
enigmail_2.0~beta2.orig.tar.gz
 1e039221fbfa99df3682825bd0d78ebe6e2b2f8932e97a27ace15d8055cc231d 833 
enigmail_2.0~beta2.orig.tar.gz.asc
 f21976fd9ab4e0c75ddf3258fadaf9ae6487043ca35a275813e13752c1a1588f 142212 
enigmail_2.0~beta2-1.debian.tar.xz
 3029bd99f2458a7f73fa8cc5ff331e2877cf2508b50ea9eabab8f748b5c00b6c 6992 
enigmail_2.0~beta2-1_amd64.buildinfo
Files:
 5db89acdf550a59e01e86f1de5de3d38 1736 mail optional enigmail_2.0~beta2-1.dsc
 16986af995d2c480518c261037b5e65c 2434861 mail optional 
enigmail_2.0~beta2.orig.tar.gz
 4f19229e260298f4a826d83117bc89bd 833 mail optional 
enigmail_2.0~beta2.orig.tar.gz.asc
 f0d599a1427bcd05311b232d938ae70f 142212 mail optional 
enigmail_2.0~beta2-1.debian.tar.xz
 bd479b38e743890903a2a3cf21e047fb 6992 mail optional 
enigmail_2.0~beta2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTTaP514aqS9uSbmdJsHx7ezFD6UwUCWqAH9AAKCRBsHx7ezFD6
U7ruAP0fbFK+ZYwmeqwxlR7MU1Uja/FC9SBpCtKOOeXrD6LNgAD/Rj5MUPxjPxw8
c0JQndMGzFsQ2LdZAvUg0LyHonHD2Ao=
=se01
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-mozext-maintainers mailing list
Pkg-mozext-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers

Reply via email to