Bug 1677650 (CVE-2018-15587) - CVE-2018-15587 evolution: specially crafted email leading to OpenPGP signatures being spoofed for arbitrary messages
Summary: CVE-2018-15587 evolution: specially crafted email leading to OpenPGP signatur...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-15587
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1677651 Engineering1686408 Engineering1764563
Blocks: Embargoed1677656
TreeView+ depends on / blocked
 
Reported: 2019-02-15 13:42 UTC by msiddiqu
Modified: 2020-04-28 15:28 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 22:33:39 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1080 0 None None None 2020-03-31 19:21:25 UTC
Red Hat Product Errata RHSA-2020:1600 0 None None None 2020-04-28 15:28:45 UTC

Description msiddiqu 2019-02-15 13:42:45 UTC 
GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. 

Upstream issues : 
https://bugzilla.gnome.org/show_bug.cgi?id=796424

Upstream Patch: 
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85
Comment 1 msiddiqu 2019-02-15 13:42:56 UTC 
Created evolution tracking bugs for this issue:

Affects: fedora-28 [bug 1677651]
Comment 2 Milan Crha 2019-02-18 11:09:35 UTC 
Thanks for a bug report. As the maintainer and an author of the upstream changes:

(In reply to msiddiqu from comment #0)
> https://gitlab.gnome.org/GNOME/evolution/issues/120

This basically proves that HTML mails are bad. People are using them anyway. When looking into the bug description, the main differences in the provided screenshots are:
1) missing "Security" header, which is the main indication that some content is signed/encrypted in the message;
2) the round corner of the message body is not green;
3) the border of the message body doesn't have a gap between the body and the signature information;
4) clicking the signature button to see the signature information would not work.

I agree that some of these are really tiny details and can be overlooked easily.

> https://gitlab.gnome.org/GNOME/evolution-data-server/issues/3

I do not want to backport this one to a to-be-in-end-of-life-soon version, because it had some regressions and follow up fixes (because there is no good way (or I'm not aware of any) to synchronize data between two streams provided by gpg).

> Upstream Patch: 
> 
> https://github.com/clearlinux-pkgs/evolution/commit/
> 70c9346f1a3e4e25344eb7a1f64147dc8dfe9b12

Upstream doesn't use GitHub, the correct upstream commit link is:
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21
Comment 12 Riccardo Schirone 2019-03-07 08:47:00 UTC 
Given a valid OpenPGP signed message signed by person P, it is possible for an attacker to trick Evolution into displaying the "GPG signed" message even if arbitrary text is added to the email, without any signing applied. Thus the victim will see the attacker-controlled message as validly signed by person P.
Comment 19 errata-xmlrpc 2020-03-31 19:21:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1080 https://access.redhat.com/errata/RHSA-2020:1080
Comment 20 Product Security DevOps Team 2020-03-31 22:33:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-15587
Comment 21 errata-xmlrpc 2020-04-28 15:28:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1600 https://access.redhat.com/errata/RHSA-2020:1600
Note You need to log in before you can comment on or make changes to this bug.