Bug#898634: kmail: efail attack against S/MIME
Source: kmail
Severity: grave
Tags: security
Justification: user security hole
Hi,
as you may already know, a paper was published this morning describing a
vulnerability known as efail against S/MIME and PGP/MIME implementations
in various mail clients.
This vulnerability allows an attacker with read/write access to
encrypted mail to retrieve the plaintext provided HTML mails are
enabled, as well as loading of remote content.
The paper indicates that the PGP/MIME implementation in kmail is not
vulnerable, but the S/MIME is.
It might be possible that the vulnerability is in an underlying library,
so feel free to reassign if needed.
It's likely we'll have to issue a DSA for this.
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: