The signature verification routine in Enigmail 2.0.6.1 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. External References: https://neopg.io/blog/enigmail-signature-spoof/ http://seclists.org/oss-sec/2018/q2/187 Upstream Changelog: https://www.enigmail.net/index.php/en/download/changelog#enig2.0.7
Created thunderbird-enigmail tracking bugs for this issue: Affects: epel-7 [bug 1591098] Affects: fedora-all [bug 1591099]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.