Bug 1677650 (CVE-2018-15587) - CVE-2018-15587 evolution: specially crafted email leading to OpenPGP signatures being spoofed for arbitrary messages
Summary: CVE-2018-15587 evolution: specially crafted email leading to OpenPGP signatur...
Alias: CVE-2018-15587
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1677651 1686408 1764563
Blocks: 1677656
TreeView+ depends on / blocked
Reported: 2019-02-15 13:42 UTC by msiddiqu
Modified: 2020-04-28 15:28 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-03-31 22:33:39 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1080 0 None None None 2020-03-31 19:21:25 UTC
Red Hat Product Errata RHSA-2020:1600 0 None None None 2020-04-28 15:28:45 UTC

Description msiddiqu 2019-02-15 13:42:45 UTC
GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. 

Upstream issues : 

Upstream Patch: 

Comment 1 msiddiqu 2019-02-15 13:42:56 UTC
Created evolution tracking bugs for this issue:

Affects: fedora-28 [bug 1677651]

Comment 2 Milan Crha 2019-02-18 11:09:35 UTC
Thanks for a bug report. As the maintainer and an author of the upstream changes:

(In reply to msiddiqu from comment #0)
> https://gitlab.gnome.org/GNOME/evolution/issues/120

This basically proves that HTML mails are bad. People are using them anyway. When looking into the bug description, the main differences in the provided screenshots are:
1) missing "Security" header, which is the main indication that some content is signed/encrypted in the message;
2) the round corner of the message body is not green;
3) the border of the message body doesn't have a gap between the body and the signature information;
4) clicking the signature button to see the signature information would not work.

I agree that some of these are really tiny details and can be overlooked easily.

> https://gitlab.gnome.org/GNOME/evolution-data-server/issues/3

I do not want to backport this one to a to-be-in-end-of-life-soon version, because it had some regressions and follow up fixes (because there is no good way (or I'm not aware of any) to synchronize data between two streams provided by gpg).

> Upstream Patch: 
> https://github.com/clearlinux-pkgs/evolution/commit/
> 70c9346f1a3e4e25344eb7a1f64147dc8dfe9b12

Upstream doesn't use GitHub, the correct upstream commit link is:

Comment 12 Riccardo Schirone 2019-03-07 08:47:00 UTC
Given a valid OpenPGP signed message signed by person P, it is possible for an attacker to trick Evolution into displaying the "GPG signed" message even if arbitrary text is added to the email, without any signing applied. Thus the victim will see the attacker-controlled message as validly signed by person P.

Comment 19 errata-xmlrpc 2020-03-31 19:21:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1080 https://access.redhat.com/errata/RHSA-2020:1080

Comment 20 Product Security DevOps Team 2020-03-31 22:33:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 21 errata-xmlrpc 2020-04-28 15:28:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1600 https://access.redhat.com/errata/RHSA-2020:1600

Note You need to log in before you can comment on or make changes to this bug.