Bug 1477744

Summary: Emacs movemail POP is insecure
Product: [Fedora] Fedora Reporter: Paul Eggert <eggert>
Component: emacsAssignee: Jan Synacek <jsynacek>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 26CC: jonathan.underwood, jsynacek, msekleta, phracek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-03 06:47:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Eggert 2017-08-02 19:10:09 UTC 
Description of problem:
The program /usr/libexec/emacs/25.2/*/movemail, shipped as part of Emacs in Fedora 26, supports only insecure (plaintext) POP. This is an obvious security problem.

Version-Release number of selected component (if applicable):
Emacs 25.2
Fedora 26

How reproducible:
Use Emacs to read your mail via POP. Your email will go over the network in the clear. Emacs movemail does not support encrypted transfer.

Additional info:
GNU Emacs 26 and later will address this issue by using GNU Mailutils if so configured. I suggest configuring Emacs 26 with './configure --with-mailutils', and installing GNU Mailutils as a prerequisite for Emacs.
Comment 1 Jan Synacek 2017-08-03 06:47:11 UTC 
Emacs 26 hasn't been released yet. Also, more importantly, GNU Mailutils is not packaged for Fedora.
Comment 2 Paul Eggert 2017-08-03 08:09:25 UTC 
(In reply to Jan Synacek from comment #1)
> Emacs 26 hasn't been released yet. Also, more importantly, GNU Mailutils is
> not packaged for Fedora.

Both of these things are true, and that is why I suggested configuring --with-mailutils as a long-term fix.

The security hole is an immediate problem, though. I suggest configuring Emacs --without-pop right away: this should close the hole for all versions of Emacs being shipped by Fedora. The downside is that this withdraws POP3 support from Emacs, but the support is inherently insecure in a big way (plaintext email transfer!) and should not be used.
Comment 3 Jan Synacek 2017-08-03 08:25:09 UTC 
Well, I can do that, but that would also be a regression. I don't consider this too much of a problem, because if someone uses Emacs to retrieve email over POP, they surely know what they are doing.
Comment 4 Paul Eggert 2017-08-03 09:18:22 UTC 
(In reply to Jan Synacek from comment #3)
> if someone uses Emacs to retrieve email
> over POP, they surely know what they are doing.

I'm afraid not. Emacs users typically do not know that POP3 mail retrieval works only in unencrypted mode and is inherently insecure. For example, this security problem is not specifically mentioned in:

https://www.emacswiki.org/emacs/GettingMail
https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html

which are among the first places that users are likely to look.

Even expert users are likely to be tripped up by this. Although I've been using Emacs since the 1980s, it came as a surprise to me that POP3 email retrieval does not support encryption. I thought that it just worked (as it works in virtually every other email client).

You're right that configuring --without-pop would be a regression. However, it's a regression that is called for in this particular case.