Bug 707848 (CVE-2011-3355) - CVE-2011-3355 evolution: IMAP does non-SSL connection when storing to Sent folder
Summary: CVE-2011-3355 evolution: IMAP does non-SSL connection when storing to Sent fo...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-3355
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 697904 (view as bug list)
Depends On: 737106
Blocks: 737090
TreeView+ depends on / blocked
 
Reported: 2011-05-26 07:13 UTC by Olivier Crête
Modified: 2019-09-29 12:45 UTC (History)
9 users (show)

Fixed In Version: evolution 3.1.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-25 13:20:48 UTC


Attachments (Terms of Use)

Description Olivier Crête 2011-05-26 07:13:09 UTC
Description of problem:

After updating from F14 to F15, the IMAP component tried to authenticate as plain text over a non-SSL connection when storing to the Sent folder. Even though my IMAP connection is configured as SSL (and the server also supports TLS).

For some reason, in the Defaults pref tab, the Sent folder was reset to use the local one instead of the one on the IMAP server (which was correctly configured in F14).

This leads to possible password disclose... so its a security problem...


Version-Release number of selected component (if applicable):

evolution-3.0.1-1.fc15.x86_64


How reproducible:

Always... until I re-selected the IMAP folder in Defaults.. then it was gone.

Comment 1 Jan Lieskovsky 2011-06-01 17:27:13 UTC
Hi, Olivier,

  thank you for your report.

(In reply to comment #0)
> How reproducible:
> 
> Always... until I re-selected the IMAP folder in Defaults.. then it was gone.

So when you configured the IMAP account to use SSL/TLS alternative, the
Defaults pref tab contained Sent folder for the remote server? IOW got
it I right, that this was reset without user action / consciousness?

Also, under 'until I re-selecated the IMAP folder in Defaults' you mean,
you set it back in Defaults tab to be the Sent folder on the remote server
machine, right? Or you mean just clicking on it?

Thank you, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 2 Olivier Crête 2011-06-01 17:45:32 UTC
In Evo 2.32 I had selected the remote folder, so it was still selected when upgrading to 3.0. But it tried to connect to the server over a non-SSL (sending my username/password without SSL). I only realised there was a problem because our Dovecot server only allows upgrading to TLS over a non-SSL connection.

I went into the Defaults tab, clicked on the button, re-selected the remote folder from the list (I think something else was selected, not sure). And clicked Ok, after doing that, it seemed to fix itself.

Comment 5 Jan Lieskovsky 2011-09-09 15:43:39 UTC
*** Bug 697904 has been marked as a duplicate of this bug. ***

Comment 7 Jan Lieskovsky 2011-09-09 16:03:10 UTC
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2011/09/09/1

Comment 8 Jan Lieskovsky 2011-09-09 16:07:45 UTC
Created evolution tracking bugs for this issue

Affects: fedora-15 [bug 737106]

Comment 10 Jan Lieskovsky 2011-09-09 16:30:34 UTC
This issue did NOT affect the versions of the evolution and evolution28 packages, as shipped with Red Hat Enterprise Linux 4.

This issue did NOT affect the versions of the evolution package, as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 11 Jan Lieskovsky 2011-09-09 16:32:22 UTC
Statement:

Not vulnerable. This issue did not affect the versions of evolution as shipped with Red Hat Enterprise Linux 4, 5, or 6. This issue did not affect the version of evolution28 as shipped with Red Hat Enterprise Linux 4.

Comment 12 Vincent Danen 2011-09-09 23:11:47 UTC
This was assigned the name CVE-2011-3355.


Note You need to log in before you can comment on or make changes to this bug.