Vulnerabilities in OpenPGP specification can be abused by so-called CFB gadget attacks to exfiltrate the plaintext from encrypted email. Attacker having access to encrypted emails of a victim can modify them to inject an image tag into them and create a single encrypted body part that exfiltrates its own plaintext when the victim opens the attacker email. External References: https://efail.de/
Created evolution tracking bugs for this issue: Affects: fedora-all [bug 1577910] Created kmail tracking bugs for this issue: Affects: fedora-all [bug 1577911] Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 1577914] Created thunderbird-enigmail tracking bugs for this issue: Affects: epel-7 [bug 1577917] Affects: fedora-all [bug 1577912] Created trojita tracking bugs for this issue: Affects: epel-7 [bug 1577915] Affects: fedora-all [bug 1577913]
The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "<img href="tla.org/TAG"/>" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client Edit->Preferences->Privacy->Disable "Allow remote content in messages". Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw.
Statement: The research paper talks about use of HTML as a back channel to create an oracle for modified encrypted emails. HTML emails which use external links like "<img href="tla.org/TAG"/>" can cause security issues if they are honored by the MUAs. Due to flaws in MIME parsers many MUAs seem to concatenate decrypted HTML mine parts which makes it easy to plan such snippets in HTML emails. Please refer to https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html about how GnuPG can mitigate this flaw.
Mitigation: The easiest way to mitigate this vulnerability is not to use HTML emails. If you really need to use them ensure that MUA clients disable external links embedded in HTML emails. For example in thunderbird email client, Edit->Preferences->Privacy->Disable "Allow remote content in messages".
This and CVE-2017-17688 in Thunderbird 52.8 as part of CVE-2018-5162.
Note: Further investigation suggests that evolution-data-server package may not be affected by this flaw as per: https://bugzilla.redhat.com/show_bug.cgi?id=1577910#c3