Bug 1677650 (CVE-2018-15587) - CVE-2018-15587 evolution: specially crafted email leading to OpenPGP signatures being spoofed for arbitrary messages
Summary: CVE-2018-15587 evolution: specially crafted email leading to OpenPGP signatur...
Keywords:
Status: NEW
Alias: CVE-2018-15587
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1686408 1764563 1677651
Blocks: 1677656
TreeView+ depends on / blocked
 
Reported: 2019-02-15 13:42 UTC by msiddiqu
Modified: 2019-10-25 14:51 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description msiddiqu 2019-02-15 13:42:45 UTC
GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. 

Upstream issues : 
https://bugzilla.gnome.org/show_bug.cgi?id=796424

Upstream Patch: 
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85

Comment 1 msiddiqu 2019-02-15 13:42:56 UTC
Created evolution tracking bugs for this issue:

Affects: fedora-28 [bug 1677651]

Comment 2 Milan Crha 2019-02-18 11:09:35 UTC
Thanks for a bug report. As the maintainer and an author of the upstream changes:

(In reply to msiddiqu from comment #0)
> https://gitlab.gnome.org/GNOME/evolution/issues/120

This basically proves that HTML mails are bad. People are using them anyway. When looking into the bug description, the main differences in the provided screenshots are:
1) missing "Security" header, which is the main indication that some content is signed/encrypted in the message;
2) the round corner of the message body is not green;
3) the border of the message body doesn't have a gap between the body and the signature information;
4) clicking the signature button to see the signature information would not work.

I agree that some of these are really tiny details and can be overlooked easily.

> https://gitlab.gnome.org/GNOME/evolution-data-server/issues/3

I do not want to backport this one to a to-be-in-end-of-life-soon version, because it had some regressions and follow up fixes (because there is no good way (or I'm not aware of any) to synchronize data between two streams provided by gpg).

> Upstream Patch: 
> 
> https://github.com/clearlinux-pkgs/evolution/commit/
> 70c9346f1a3e4e25344eb7a1f64147dc8dfe9b12

Upstream doesn't use GitHub, the correct upstream commit link is:
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21

Comment 12 Riccardo Schirone 2019-03-07 08:47:00 UTC
Given a valid OpenPGP signed message signed by person P, it is possible for an attacker to trick Evolution into displaying the "GPG signed" message even if arbitrary text is added to the email, without any signing applied. Thus the victim will see the attacker-controlled message as validly signed by person P.


Note You need to log in before you can comment on or make changes to this bug.