[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#924616: RFT and RFC: Updates for evolution{,-data-server}

Hi Jonas

[Adding security team alias, as debian-lts is not followed

On Wed, Apr 24, 2019 at 11:08:44AM +0200, Jonas Meurer wrote:
> Hello,
> The last days, I spent quite some hours on backporting and debugging
> patches for CVE-2018-15587 (Signature Spoofing in PGP encrypted email)
> to evolution and evolution-data-server packages for Jessie LTS.	
> One problem is that the scope of CVE-2018-15587 is a bit blurry. While
> the CVE description speaks specifically about the possibility to craft
> emails in a way that they spuriously appear to be *signed* - a
> vulnerability that got revealed in the aftermath of SigSpoof - the
> corresponding bugreports link to several related OpenPGP weaknesses in
> evolution{-data-server}.

You are right that the CVE is specifically for the signature spoofing
issue. It's still not fully clear, but I think it is best to stick to
that. This is the reason I yesterday reverted my previous f6f251cff480
("Track evolution-data-server under CVE-2018-15587 and add upstream
references")[1] following the reasoning, in 34c907a0fb48[2] ("Do not
track evolution-data-server under CVE-2018-15587").

 [1]  https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6f251cff4801a452acddc3256bbb77e8e4050b8
 [2]  https://salsa.debian.org/security-tracker-team/security-tracker/commit/34c907a0fb48667022f6b16fef327318a8f1ada8

If at all, but I expect not at the moment, the issues related to
emails to appear to be encrypted issue, will recieve a CVE we can
start track those in the tracker. As well for the other source
packages if they arise.

OTOH at least some other distros seem to relate the CVE to the
secondary issues as well. But I think the strict interpetation of the
CVE assignment is as you outlined.


Reply to: