Bug 1591097 (CVE-2018-12019)

Summary: CVE-2018-12019 thunderbird-enigmail: Signature verification does not handle user ids correctly allowing attackers to spoof arbitrary email signatures
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lupinix.fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: enigmail 2.0.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:29:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1591098, 1591099    
Bug Blocks:    

Description Sam Fowler 2018-06-14 04:51:17 UTC 
The signature verification routine in Enigmail 2.0.6.1 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.



External References:

https://neopg.io/blog/enigmail-signature-spoof/ 
http://seclists.org/oss-sec/2018/q2/187


Upstream Changelog:

https://www.enigmail.net/index.php/en/download/changelog#enig2.0.7
Comment 1 Sam Fowler 2018-06-14 04:51:40 UTC 
Created thunderbird-enigmail tracking bugs for this issue:

Affects: epel-7 [bug 1591098]
Affects: fedora-all [bug 1591099]
Comment 2 Product Security DevOps Team 2019-06-10 10:29:04 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.