Package: mozilla-thunderbird-enigmail Version: 2:0.91-4sarge2 Severity: grave
Enigmail has had a serious bug for a long time, see http://bugzilla.mozdev.org/show_bug.cgi?id=9730 for details. An attacker can send properly crafted encrypted emails to the enigmail user that will crash the receiver's instance of thunderbird. Whether it is possible to inject code or to access the user's passphrase using this aproach is unclear. A patch fixing the issue appeared on the enigmail mailing list. The latest enigmail release (from yesterday, version v0.94.2) fixes the issue). I believe this bug justifies a security updates to sarge and etch. Regards, Tobias Patrick Brunschwig's patch: Index: enigmail.js =================================================================== RCS file: /cvs/enigmail/src/package/enigmail.js,v retrieving revision 1.190 diff -u -r1.190 enigmail.js --- enigmail.js 8 Jul 2006 16:16:50 -0000 1.190 +++ enigmail.js 11 Jan 2007 10:33:04 -0000 @@ -883,9 +883,6 @@ DEBUG_LOG("enigmail.js: EnigmailProtocolHandler.newChannel: messageURL="+messageUriObj.originalUrl+", "+contentType+", "+contentCharset+"\n"); - if (!messageUriObj.persist) - delete gEnigmailSvc._messageIdList[messageId]; - } else { contentType = "text/plain"; -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]