Package: semi Version: 1.14.7~0.20120428-14 Severity: important Tags: jessie security
It was discovered that SEMI, an Emacs library to provide MIME features, did not properly implement recipients matching to encrypt mails. This may allow unrelated person may decrypt the mails. cf. - http://thread.gmane.org/gmane.mail.wanderlust.general.japanese/9819 From: Michael Welle > I discovered strange behaviour while trying to encrypt mails (Emacs > 24.4.1, SEMI is the current version from the melpa archive). The key > ids that are fed to gpg are mostly totally unrelated to the mail's > recipient. The problem seems to be in mime-edit.el. In > mime-edit-encrypt-pgp-mime a recipient list is calculated. A to-header > like 'foo bar <foo@a.b>' is therefore parsed into three elements 'foo', > 'bar' and 'foo@a.b', which results in three key ids (depending on the > contents of your key ring). Unfortunately, the key ids resulting from > 'foo' and 'bar' are unrelated to this mail in my case (tons of > different keys can be found for foo). And even the key found for > foo@a.b might not be the one one want to use. > > As a work around one can use plain mail addresses like 'foo@a.b'. Fixed in https://github.com/wanderlust/semi/commit/9976269556c5bcc021e4edf1b0e1accd39929528 - https://github.com/wanderlust/semi/issues/9 From: Tatsuya Kinoshita > With SEMI-EPG 2015-05-03 and Wanderlust 2015-03-08, in encryption, > a mail with To: m...@debian.org chooses d...@debian.org's key when > the foolowing keys are imported. > > - 1024D/97AA33D6 Dima Barsky <d...@debian.org> > - 1024D/1A944AD7 Martin Albert <m...@debian.org> > > It seems not exact match on an email address. Fixed in - https://github.com/wanderlust/semi/commit/5c8466321d281d72850c298b9ebcd466b4b0160c - https://github.com/wanderlust/semi/commit/da44c8e0ea6baf5dac2b8debf86f720a541f31a5 The security team suggested that is rather a candidate for a fix in a point update instead of a Debian Security Advisory. Thanks, -- Tatsuya Kinoshita
pgpOoasjw1XnB.pgp
Description: PGP signature
