Bug 1923113 (CVE-2021-3349)
Summary: | CVE-2021-3349 evolution-data-server: mail is shown as having a valid signature from an unknown identifier on a previously trusted key | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | caillon+fedoraproject, lucilanga, mcrha, rhughes, rstrode |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | evolution-data-server-3.40.4 evolution-3.40.4 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 10:39:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1923116, 1933119, 1933120 | ||
Bug Blocks: | 1923114 |
Description
Pedro Sampaio
2021-02-01 12:44:20 UTC
Created evolution tracking bugs for this issue: Affects: fedora-all [bug 1923116] (In reply to Pedro Sampaio from comment #0) > GNOME Evolution through 3.38.3 produces a "Valid signature" message for an > unknown identifier on a previously trusted key because Evolution does not > retrieve enough information from the GnuPG API. NOTE: third parties dispute > the significance of this issue, and dispute whether Evolution is the best > place to change this behavior. > > https://dev.gnupg.org/T4735 > https://gitlab.gnome.org/GNOME/evolution/-/issues/299 > https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html Right, the evolution bug, closed for ~two years, basically agrees the problem is on the gnupg side. I do not know what to do with this bug here (it's currently filled for evolution). Note that Evolution simply asks gnupg to verify the signature and it relies on the result returned from the gnupg binary. Looking into the gnupg bug [1], the `--sender` option can be harmful, I think. That's in the case when the signature has stored the signer address. This may not match the From address of a message sent by a mailing list, which would render the signature as invalid, even it's otherwise correct. It's how I understand the last example at the [2] at least. Nonetheless, I see Evolution (libcamel from the evolution-data-server) generates signatures without the signer email address, when the key entered in the account Properties is defined by a key ID, instead of by the email address. [1] https://dev.gnupg.org/T4735 [2] https://dev.gnupg.org/T4735#135274 I tried this with a 3.40.4 of the evolution-data-server and evolution and when the From address and the address in the signer key do not match, then Evolution prints: Valid signature, but sender address and signer address do not match (Signer Name <signer>) Thus I consider this fixed in the 3.40.4. |