Bug 707848 (CVE-2011-3355)

Summary: CVE-2011-3355 evolution: IMAP does non-SSL connection when storing to Sent folder
Product: [Other] Security Response Reporter: Olivier Crête <olivier.crete>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fidencio, jkurik, jlieskov, lucilanga, mbarnes, mcrha, paul, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: evolution 3.1.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-25 13:20:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 737106    
Bug Blocks: 737090    

Description Olivier Crête 2011-05-26 07:13:09 UTC 
Description of problem:

After updating from F14 to F15, the IMAP component tried to authenticate as plain text over a non-SSL connection when storing to the Sent folder. Even though my IMAP connection is configured as SSL (and the server also supports TLS).

For some reason, in the Defaults pref tab, the Sent folder was reset to use the local one instead of the one on the IMAP server (which was correctly configured in F14).

This leads to possible password disclose... so its a security problem...


Version-Release number of selected component (if applicable):

evolution-3.0.1-1.fc15.x86_64


How reproducible:

Always... until I re-selected the IMAP folder in Defaults.. then it was gone.
Comment 1 Jan Lieskovsky 2011-06-01 17:27:13 UTC 
Hi, Olivier,

  thank you for your report.

(In reply to comment #0)
> How reproducible:
> 
> Always... until I re-selected the IMAP folder in Defaults.. then it was gone.

So when you configured the IMAP account to use SSL/TLS alternative, the
Defaults pref tab contained Sent folder for the remote server? IOW got
it I right, that this was reset without user action / consciousness?

Also, under 'until I re-selecated the IMAP folder in Defaults' you mean,
you set it back in Defaults tab to be the Sent folder on the remote server
machine, right? Or you mean just clicking on it?

Thank you, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 2 Olivier Crête 2011-06-01 17:45:32 UTC 
In Evo 2.32 I had selected the remote folder, so it was still selected when upgrading to 3.0. But it tried to connect to the server over a non-SSL (sending my username/password without SSL). I only realised there was a problem because our Dovecot server only allows upgrading to TLS over a non-SSL connection.

I went into the Defaults tab, clicked on the button, re-selected the remote folder from the list (I think something else was selected, not sure). And clicked Ok, after doing that, it seemed to fix itself.
Comment 4 Jan Lieskovsky 2011-09-09 15:42:20 UTC 
Upstream bug report:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=648277

Upstream fix:
[2] http://git.gnome.org/browse/evolution-data-server/commit/?id=e0ac4d79705c
Comment 5 Jan Lieskovsky 2011-09-09 15:43:39 UTC 
*** Bug 697904 has been marked as a duplicate of this bug. ***
Comment 7 Jan Lieskovsky 2011-09-09 16:03:10 UTC 
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2011/09/09/1
Comment 8 Jan Lieskovsky 2011-09-09 16:07:45 UTC 
Created evolution tracking bugs for this issue

Affects: fedora-15 [bug 737106]
Comment 10 Jan Lieskovsky 2011-09-09 16:30:34 UTC 
This issue did NOT affect the versions of the evolution and evolution28 packages, as shipped with Red Hat Enterprise Linux 4.

This issue did NOT affect the versions of the evolution package, as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 11 Jan Lieskovsky 2011-09-09 16:32:22 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of evolution as shipped with Red Hat Enterprise Linux 4, 5, or 6. This issue did not affect the version of evolution28 as shipped with Red Hat Enterprise Linux 4.
Comment 12 Vincent Danen 2011-09-09 23:11:47 UTC 
This was assigned the name CVE-2011-3355.