GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.
Upstream issues :
Created evolution tracking bugs for this issue:
Affects: fedora-28 [bug 1677651]
Thanks for a bug report. As the maintainer and an author of the upstream changes:
(In reply to msiddiqu from comment #0)
This basically proves that HTML mails are bad. People are using them anyway. When looking into the bug description, the main differences in the provided screenshots are:
1) missing "Security" header, which is the main indication that some content is signed/encrypted in the message;
2) the round corner of the message body is not green;
3) the border of the message body doesn't have a gap between the body and the signature information;
4) clicking the signature button to see the signature information would not work.
I agree that some of these are really tiny details and can be overlooked easily.
I do not want to backport this one to a to-be-in-end-of-life-soon version, because it had some regressions and follow up fixes (because there is no good way (or I'm not aware of any) to synchronize data between two streams provided by gpg).
> Upstream Patch:
Upstream doesn't use GitHub, the correct upstream commit link is:
Given a valid OpenPGP signed message signed by person P, it is possible for an attacker to trick Evolution into displaying the "GPG signed" message even if arbitrary text is added to the email, without any signing applied. Thus the victim will see the attacker-controlled message as validly signed by person P.