Processed: Re: Bug#898631: thunderbird: efail attack against S/MIME and PGP/MIME

2018-05-28 Thread Debian Bug Tracking System 
Processing control commands:

> retitle 898631 thunderbird: still efail attack issue possible
Bug #898631 {Done: Carsten Schoenert } 
[src:thunderbird] thunderbird: still efail attack issue possible against S/MIME 
and PGP/MIME in some circumstances
Changed Bug title to 'thunderbird: still efail attack issue possible' from 
'thunderbird: still efail attack issue possible against S/MIME and PGP/MIME in 
some circumstances'.

-- 
898631: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898631
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#898631: thunderbird: efail attack against S/MIME and PGP/MIME

2018-05-28 Thread Carsten Schoenert 
Control: retitle 898631 thunderbird: still efail attack issue possible
against S/MIME and PGP/MIME in some circumstances


Hi again,

Am 27.05.2018 um 10:04 schrieb intrigeri:
> Hi Thunderbird maintainers!
> 
> My understanding (by reading some Thunderbird upstream mailing lists)
> is that 52.8.0 only has part of the EFAIL fixes and the remaining
> fixes will go into 52.8.1.

that's correct, unfortunately.

> So perhaps this bug should not be marked as fixed in 1:52.8.0-1?
> Or are the remaining problems tracked on another bug report that
> I could not find?

No, right now there is no other issue to track this. I had finished all
my work on TB 52.8.0 before it was clear that the Efail thing isn't
fully fixed bu 52.8.0.

I wouldn't like to reopen the previous bug report and just use this one
here to keep tracking the remaining issue. Hopefully Mozilla will do a
release of 52.8.1 next week.

-- 
Regards
Carsten Schoenert

Bug#898631: thunderbird: efail attack against S/MIME and PGP/MIME

2018-05-27 Thread intrigeri 
Hi Thunderbird maintainers!

My understanding (by reading some Thunderbird upstream mailing lists)
is that 52.8.0 only has part of the EFAIL fixes and the remaining
fixes will go into 52.8.1. 

So perhaps this bug should not be marked as fixed in 1:52.8.0-1?
Or are the remaining problems tracked on another bug report that
I could not find?

Cheers,
-- 
intrigeri

Bug#898631: thunderbird: efail attack against S/MIME and PGP/MIME

2018-05-14 Thread Yves-Alexis Perez 
Source: thunderbird
Severity: grave
Tags: security
Justification: user security hole

Hi,

as you might already be aware, an attack has been published against
PGP/MIME and S/MIME handling in various mail clients, including
Thunderbird.

I've already reported a bug against enigmail, since PGP handling seems
mostly restricted to enigmail, but the S/MIME part is handled directly
in Thunderbird as far as I can tell.

We'll likely have to issue a DSA too.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), 
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled