Bug 1923113 (CVE-2021-3349) - CVE-2021-3349 evolution-data-server: mail is shown as having a valid signature from an unknown identifier on a previously trusted key
Summary: CVE-2021-3349 evolution-data-server: mail is shown as having a valid signatur...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-3349
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1923116 1933119 1933120
Blocks: 1923114
TreeView+ depends on / blocked
 
Reported: 2021-02-01 12:44 UTC by Pedro Sampaio
Modified: 2021-10-28 10:39 UTC (History)
5 users (show)

Fixed In Version: evolution-data-server-3.40.4 evolution-3.40.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-28 10:39:12 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2021-02-01 12:44:20 UTC
GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior.

https://dev.gnupg.org/T4735
https://gitlab.gnome.org/GNOME/evolution/-/issues/299
https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html

Comment 1 Pedro Sampaio 2021-02-01 12:46:28 UTC
Created evolution tracking bugs for this issue:

Affects: fedora-all [bug 1923116]

Comment 2 Milan Crha 2021-02-01 13:58:57 UTC
(In reply to Pedro Sampaio from comment #0)
> GNOME Evolution through 3.38.3 produces a "Valid signature" message for an
> unknown identifier on a previously trusted key because Evolution does not
> retrieve enough information from the GnuPG API. NOTE: third parties dispute
> the significance of this issue, and dispute whether Evolution is the best
> place to change this behavior.
> 
> https://dev.gnupg.org/T4735
> https://gitlab.gnome.org/GNOME/evolution/-/issues/299
> https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html

Right, the evolution bug, closed for ~two years, basically agrees the problem is on the gnupg side. I do not know what to do with this bug here (it's currently filled for evolution).

Note that Evolution simply asks gnupg to verify the signature and it relies on the result returned from the gnupg binary.

Comment 6 Milan Crha 2021-03-01 10:06:53 UTC
Looking into the gnupg bug [1], the `--sender` option can be harmful, I think. That's in the case when the signature has stored the signer address. This may not match the From address of a message sent by a mailing list, which would render the signature as invalid, even it's otherwise correct. It's how I understand the last example at the [2] at least. Nonetheless, I see Evolution (libcamel from the evolution-data-server) generates signatures without the signer email address, when the key entered in the account Properties is defined by a key ID, instead of by the email address.

[1] https://dev.gnupg.org/T4735
[2] https://dev.gnupg.org/T4735#135274

Comment 7 Milan Crha 2021-10-25 08:07:57 UTC
I tried this with a 3.40.4 of the evolution-data-server and evolution and when the From address and the address in the signer key do not match, then Evolution prints:

   Valid signature, but sender address and signer address do not match (Signer Name <signer@example.com>)

Thus I consider this fixed in the 3.40.4.


Note You need to log in before you can comment on or make changes to this bug.