Bug 1477744 - Emacs movemail POP is insecure
Emacs movemail POP is insecure
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: emacs (Show other bugs)
26
All All
unspecified Severity high
: ---
: ---
Assigned To: Jan Synacek
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 15:10 EDT by Paul Eggert
Modified: 2017-08-04 04:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-03 02:47:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Eggert 2017-08-02 15:10:09 EDT
Description of problem:
The program /usr/libexec/emacs/25.2/*/movemail, shipped as part of Emacs in Fedora 26, supports only insecure (plaintext) POP. This is an obvious security problem.

Version-Release number of selected component (if applicable):
Emacs 25.2
Fedora 26

How reproducible:
Use Emacs to read your mail via POP. Your email will go over the network in the clear. Emacs movemail does not support encrypted transfer.

Additional info:
GNU Emacs 26 and later will address this issue by using GNU Mailutils if so configured. I suggest configuring Emacs 26 with './configure --with-mailutils', and installing GNU Mailutils as a prerequisite for Emacs.
Comment 1 Jan Synacek 2017-08-03 02:47:11 EDT
Emacs 26 hasn't been released yet. Also, more importantly, GNU Mailutils is not packaged for Fedora.
Comment 2 Paul Eggert 2017-08-03 04:09:25 EDT
(In reply to Jan Synacek from comment #1)
> Emacs 26 hasn't been released yet. Also, more importantly, GNU Mailutils is
> not packaged for Fedora.

Both of these things are true, and that is why I suggested configuring --with-mailutils as a long-term fix.

The security hole is an immediate problem, though. I suggest configuring Emacs --without-pop right away: this should close the hole for all versions of Emacs being shipped by Fedora. The downside is that this withdraws POP3 support from Emacs, but the support is inherently insecure in a big way (plaintext email transfer!) and should not be used.
Comment 3 Jan Synacek 2017-08-03 04:25:09 EDT
Well, I can do that, but that would also be a regression. I don't consider this too much of a problem, because if someone uses Emacs to retrieve email over POP, they surely know what they are doing.
Comment 4 Paul Eggert 2017-08-03 05:18:22 EDT
(In reply to Jan Synacek from comment #3)
> if someone uses Emacs to retrieve email
> over POP, they surely know what they are doing.

I'm afraid not. Emacs users typically do not know that POP3 mail retrieval works only in unencrypted mode and is inherently insecure. For example, this security problem is not specifically mentioned in:

https://www.emacswiki.org/emacs/GettingMail
https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html

which are among the first places that users are likely to look.

Even expert users are likely to be tripped up by this. Although I've been using Emacs since the 1980s, it came as a surprise to me that POP3 email retrieval does not support encryption. I thought that it just worked (as it works in virtually every other email client).

You're right that configuring --without-pop would be a regression. However, it's a regression that is called for in this particular case.

Note You need to log in before you can comment on or make changes to this bug.