Using Content-Type = multipart/alternative, it is possible to trick Enigmail into displaying a valid signature status for a MIME part that is actually not signed. Such messages have the following structrure (or similar): multipart/alternative |- multipart/signed | |- text/plain | |- text/html Fixed in 2.1.5. Reproducer: https://sourceforge.net/p/enigmail/bugs/1044/attachment/Sample%20Message.eml https://sourceforge.net/p/enigmail/bugs/_discuss/thread/90e18ceedb/e1d4/attachment/Pubkey.asc References: https://sourceforge.net/p/enigmail/bugs/1044/
Created thunderbird-enigmail tracking bugs for this issue: Affects: epel-7 [bug 1790325] Affects: fedora-all [bug 1790324]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.