[trojita] [Bug 432353] Untagged responses are processed before STARTTLS.
https://bugs.kde.org/show_bug.cgi?id=432353 --- Comment #7 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- Hehe, the code at https://github.com/KDE/trojita/blob/master/src/Imap/Parser/Command.cpp#L71 seems familiar :-) `PartOfCommand` cannot contain a ", right? -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 432353] Untagged responses are processed before STARTTLS.
https://bugs.kde.org/show_bug.cgi?id=432353 --- Comment #5 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- Hey Jan, thank you for working on this issue! > This cannot be exploited like that. I know of at least one client where this is practically exploitable. However, I am not saying that it is possible in Trojita, though! > Since IMAP is a text-based protocol, there are rules on how to "intervene" > user-controlled (or even attacker-controlled) strings with protocol commands. > However, this is not specific to a possible side-channel injection due to > STARTTLS. The real user can just as well create a mailbox which has a newline > in its name, and the IMAP code must handle this properly. Let's not call this > "sanitization", please; it's a critical part of implementing a protocol. I fully agree. Sanitization is not the correct term. By the way, I know that you implemented the IMAP protocol very diligently in Trojita! ;-) Still, I also know IMAP very well and how complicated string handling is due to the many involved "string types" such as `tag`, `text`, `atom`, `astring`, `literal` ... (In fact, in my own IMAP implementation I was *so afraid* to forget to correctly encode some string in some place, that I wrapped all "string types" and use these wrappers throughout the whole library.¹) > The STARTTLS vulnerability will only be relevant in this context if the > attacker-controlled cache stored strings which are somehow escaped, and that > is not the case. Not sure if I understand that. But it doesn't matter. If Trojita implements the IMAP protocol correctly and properly escapes folder names, it should not matter. ¹ https://github.com/duesee/imap-codec/blob/6bf1e5d0da45d576bd9ed4ddc0b3640da8e2ba80/src/types/mailbox.rs#L142 -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 423423] STARTTLS is ignored when "Server requires authentication" not checked in UI
https://bugs.kde.org/show_bug.cgi?id=423423 --- Comment #3 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- Ah sorry :-) I wrote that comment without thinking too much. We (me and some colleagues) performed a STARTTLS test some months ago, reported multiple vulnerabilities and are now in the process to consolidate the still open bugs. -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 423423] STARTTLS is ignored when "Server requires authentication" not checked in UI
https://bugs.kde.org/show_bug.cgi?id=423423 --- Comment #1 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- May I ask for an update? To be clear: we think that this is a securtiy vulnerability. -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 432353] Untagged responses are processed before STARTTLS.
https://bugs.kde.org/show_bug.cgi?id=432353 --- Comment #1 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- Any update on this? To be clear: a network attacker can create new folders and tamper with local application state when STARTTLS is used. -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 432354] New: Make implicit TLS the default for SMTP.
https://bugs.kde.org/show_bug.cgi?id=432354 Bug ID: 432354 Summary: Make implicit TLS the default for SMTP. Product: trojita Version: 0.7 Platform: Other OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: SMTP Assignee: trojita-b...@kde.org Reporter: 93s4m32gd2ab8...@mailbox.org Target Milestone: --- Trojita defaults to plaintext SMTP, when a new account is configured. This should be changed to implicit TLS on port 465. Furthermore, when a plaintext connection is used, Trojita could warn the user in this case that this is not secure. -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 432353] New: Untagged responses are processed before STARTTLS.
https://bugs.kde.org/show_bug.cgi?id=432353 Bug ID: 432353 Summary: Untagged responses are processed before STARTTLS. Product: trojita Version: 0.7 Platform: Other OS: Linux Status: REPORTED Severity: critical Priority: NOR Component: IMAP Assignee: trojita-b...@kde.org Reporter: 93s4m32gd2ab8...@mailbox.org Target Milestone: --- Trojita accepts LIST, LSUB, STATUS, ... untagges responses before STARTTLS and incorporates them into local state. I am not sure if this is already kind of a misbehavior even without STARTTLS, because the IMAP RFC does not really prohibit that. However, a meddler in the middle can use this to tamper with the state of Trojita. This *could* also be escalated to a more severe issue. E.g. when an attacker injects a folder name with "\r\n ", it could trick Trojita to execute attacker-controlled commands on the IMAP server after login. The only thing preventing this is sanitization of folder names, but I am not sure if we should count on that... -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 423453] Trojita might not validate TLS certificates in SMTP.
https://bugs.kde.org/show_bug.cgi?id=423453 --- Comment #3 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- Thank you Jan for your very fast response and patch! Can you already tell when this will find its way into a new release? -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 423453] New: Trojita might not validate TLS certificates in SMTP.
https://bugs.kde.org/show_bug.cgi?id=423453 Bug ID: 423453 Summary: Trojita might not validate TLS certificates in SMTP. Product: trojita Version: 0.7 Platform: Other OS: Linux Status: REPORTED Severity: major Priority: NOR Component: SMTP Assignee: trojita-b...@kde.org Reporter: 93s4m32gd2ab8...@mailbox.org Target Milestone: --- I have setup an email account, where the server is configured to present valid certificates for both SMTP and IMAP (via Let's Encrypt.) Now, I exchange the certificate for SMTP to a self-signed certificate and send an email. Trojita does not complain and connects to the SMTP server providing a username and a password via an potentially insecure connection. This is a security issue. When the IMAP certificate is exchanged to an invalid one, Trojita shows a security warning. Here, everything seems to be fine. Tested on Trojita 0.7-git in NixOS and Trojita 0.7 in Ubuntu. -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 423426] POP3 setup wizard defaults to unencrypted connections.
https://bugs.kde.org/show_bug.cgi?id=423426 --- Comment #2 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- Related: https://bugs.kde.org/show_bug.cgi?id=389427 (but for IMAP) -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 423426] POP3 setup wizard defaults to unencrypted connections.
https://bugs.kde.org/show_bug.cgi?id=423426 --- Comment #1 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- This is also related to https://bugs.kde.org/show_bug.cgi?id=423423 as the POP3 setup will not set "Server requires authentication" per default. -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 423426] New: POP3 setup wizard defaults to unencrypted connections.
https://bugs.kde.org/show_bug.cgi?id=423426 Bug ID: 423426 Summary: POP3 setup wizard defaults to unencrypted connections. Product: kmail2 Version: 5.13.3 Platform: Other OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: general Assignee: kdepim-b...@kde.org Reporter: 93s4m32gd2ab8...@mailbox.org Target Milestone: --- The setup wizard in kmail defaults to unencrypted connections. When the user clicks on "Check Mail" after the setup, the username and password are sent in the clear. I have not found a way to tell kmail in the manual configuration to use implicit TLS or STARTTLS. What is even worse: assuming you know about that and try to configure STARTTLS directly after the setup. In this case it happens that future connections still happen unencrypted, even though the UI tells otherwise. I clicked on "Restart" in the UI several times and also restarted Akonadi and KMail. In this case, I found that POP3 was once even reset back to "Unencrypted". After few more tries it seems to have settled down to use STARTTLS. I am using NixOS with kmail2 5.13.3 (19.12.3). -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 423424] Kmail "forces" the user to accept invalid TLS certificates.
https://bugs.kde.org/show_bug.cgi?id=423424 --- Comment #1 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- This also applies in a limited form (dialogs show up slower) for SMTP. -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 423424] New: Kmail "forces" the user to accept invalid TLS certificates.
https://bugs.kde.org/show_bug.cgi?id=423424 Bug ID: 423424 Summary: Kmail "forces" the user to accept invalid TLS certificates. Product: kmail2 Version: 5.13.3 Platform: Other OS: Linux Status: REPORTED Severity: major Priority: NOR Component: general Assignee: kdepim-b...@kde.org Reporter: 93s4m32gd2ab8...@mailbox.org Target Milestone: --- When the IMAP TLS certificate is bad, i.e. self-signed, kmail shows a warning with three buttons: "Details", "Continue" and "Cancel". When the user clicks on "Cancel", kmail repeats the login process and shows the warning again immediately. This process continues in a loop, which can not be canceled by the user when clicking on "Cancel" (the only secure option). The only way to "escape" from this loop is to click on "Continue.", which might reveal the username and password. -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 423423] New: STARTTLS is ignored when "Server requires authentication" not checked in UI
https://bugs.kde.org/show_bug.cgi?id=423423 Bug ID: 423423 Summary: STARTTLS is ignored when "Server requires authentication" not checked in UI Product: kmail2 Version: 5.13.3 Platform: Other OS: Linux Status: REPORTED Severity: major Priority: NOR Component: general Assignee: kdepim-b...@kde.org Reporter: 93s4m32gd2ab8...@mailbox.org Target Milestone: --- The STARTTLS option of SMTP is ignored, when "Server requires authentication" is not checked. In this case kmail will send any mail in cleartext. Tested with kmail2 5.13.3 (19.12.3). -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 416942] New: Typo and unclear TLS settings
https://bugs.kde.org/show_bug.cgi?id=416942 Bug ID: 416942 Summary: Typo and unclear TLS settings Product: trojita Version: 0.7 Platform: Other OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: Desktop GUI Assignee: trojita-b...@kde.org Reporter: 93s4m32gd2ab8...@mailbox.org Target Milestone: --- Hello, There seems to be a typo in the german translation of the IMAP and SMTP configuration. The *english translation* is as follows: SMTP * No encryption * Use encryption (STARTTLS) * Force encryption (TLS) IMAP * No encryption * Use encryption (STARTTLS) * Force encryption (TLS) The *german translation* is: SMTP * Keine Verschlüsselung * Verschlüsselung verwenden (STARTTLS) // "verwenden" translates to "use" * Verschlüsselung erzwingen (TLS) // "erzwingen" translates to "force" IMAP * Keine Verschlüsselung * Verschlüsselung verwenden (STARTTLS) * Verschlüsselung erzwingen (*STARTTLS*) // typo here Can you also clarify what those options mean? Given that we have "use" and "force", it seems that the encryption over STARTTLS is optional? Precisely, if Trojita is configured with "Use encryption (STARTTLS)", is it supposed to proceed in plaintext when the server does not advertise STARTTLS? Thunderbird and other MUAs do it differently: they let you specify the method (STARTTL or TLS), but will enforce transition to STARTTLS. -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 391667] Security bug
https://bugs.kde.org/show_bug.cgi?id=391667 --- Comment #3 from Damian Poddebniak <93s4m32gd2ab8...@mailbox.org> --- So... should I write to Jan Kundrat or e.g. David Faure? This issue is trojita-specific. -- You are receiving this mail because: You are watching all bug changes.
[trojita] [Bug 391667] New: Security bug
https://bugs.kde.org/show_bug.cgi?id=391667 Bug ID: 391667 Summary: Security bug Product: trojita Version: unspecified Platform: unspecified OS: All Status: UNCONFIRMED Severity: normal Priority: NOR Component: Cryptography Assignee: trojita-b...@kde.org Reporter: 93s4m32gd2ab8...@mailbox.org Target Milestone: --- Hello, I'd like to discuss a security problem, but we don't want to make it public right now. Can this issue be set to confidential? -- You are receiving this mail because: You are watching all bug changes.