Your message dated Sun, 21 Jan 2007 18:32:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#406604: fixed in enigmail 2:0.94.2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: mozilla-thunderbird-enigmail
Version: 2:0.91-4sarge2
Severity: grave
Enigmail has had a serious bug for a long time, see
http://bugzilla.mozdev.org/show_bug.cgi?id=9730 for details.
An attacker can send properly crafted encrypted emails to the enigmail
user that will crash the receiver's instance of thunderbird.
Whether it is possible to inject code or to access the user's passphrase
using this aproach is unclear.
A patch fixing the issue appeared on the enigmail mailing list. The
latest enigmail release (from yesterday, version v0.94.2) fixes the issue).
I believe this bug justifies a security updates to sarge and etch.
Regards,
Tobias
Patrick Brunschwig's patch:
Index: enigmail.js
===================================================================
RCS file: /cvs/enigmail/src/package/enigmail.js,v
retrieving revision 1.190
diff -u -r1.190 enigmail.js
--- enigmail.js 8 Jul 2006 16:16:50 -0000 1.190
+++ enigmail.js 11 Jan 2007 10:33:04 -0000
@@ -883,9 +883,6 @@
DEBUG_LOG("enigmail.js: EnigmailProtocolHandler.newChannel:
messageURL="+messageUriObj.originalUrl+", "+contentType+",
"+contentCharset+"\n");
- if (!messageUriObj.persist)
- delete gEnigmailSvc._messageIdList[messageId];
-
} else {
contentType = "text/plain";
--- End Message ---
--- Begin Message ---
Source: enigmail
Source-Version: 2:0.94.2-1
We believe that the bug you reported is fixed in the latest version of
enigmail, which is due to be installed in the Debian FTP archive:
enigmail_0.94.2-1.diff.gz
to pool/main/e/enigmail/enigmail_0.94.2-1.diff.gz
enigmail_0.94.2-1.dsc
to pool/main/e/enigmail/enigmail_0.94.2-1.dsc
enigmail_0.94.2-1_i386.deb
to pool/main/e/enigmail/enigmail_0.94.2-1_i386.deb
enigmail_0.94.2.orig.tar.gz
to pool/main/e/enigmail/enigmail_0.94.2.orig.tar.gz
mozilla-thunderbird-enigmail_0.94.2-1_all.deb
to pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94.2-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Sack <[EMAIL PROTECTED]> (supplier of updated enigmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 21 Jan 2006 20:00:00 +0100
Source: enigmail
Binary: enigmail mozilla-thunderbird-enigmail
Architecture: source i386 all
Version: 2:0.94.2-1
Distribution: unstable
Urgency: high
Maintainer: Alexander Sack <[EMAIL PROTECTED]>
Changed-By: Alexander Sack <[EMAIL PROTECTED]>
Description:
enigmail - GnuPG support for Icedove
mozilla-thunderbird-enigmail - Transition package for enigmail rename
Closes: 406604
Changes:
enigmail (2:0.94.2-1) unstable; urgency=high
.
* new upstream version fixes potential security issue (Closes: 406604)
Files:
8f74d25170cde1fd547c9a5b882e26c4 1353 mail optional enigmail_0.94.2-1.dsc
13f6598dc5ab3dba8f6d72919e9c647c 1067454 mail optional
enigmail_0.94.2.orig.tar.gz
182c59aa207541ed7acce9b0080338a2 18268 mail optional enigmail_0.94.2-1.diff.gz
fe948e765eb7fe48bb64dfe883fc44d5 323332 mail optional
enigmail_0.94.2-1_i386.deb
d09256384d97c3c4f5ac4a5e2be91b58 12542 mail optional
mozilla-thunderbird-enigmail_0.94.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQIVAwUBRbOuSqBE/gcUDGZkAQJOKw/+KgOt2usNVLGcY1kc6KlwKnYf4zKq7R4h
jMVDnZCj9w4psDmzicdfV23WUe5XADIjtvQNqUklX2Gwhx4q/HLf2NOpeWvhfwpH
UQyXwQf/bAVFX7iQLNdFt3pWavw6Yi+y2fF6tFUa/TDbGP3ClzVxlAkHaIaBy8Ba
823p9LI70NoDIiUeSbTw8HR/znruA98MOur551MUlk3PrrKjAVXiN7WqN7SxCZoP
xsp6FDgITjf9I8d2NzRXspiaT4MKFIzCAbE6SG3LMiRDkAWBDoSEx6Tzc8a4UcGc
bo48xk0MGhkyLrXRqAE/6JA4EiQVjtSOPGVDiWoeROartTdqCR0PIebt2+z97hvA
v9SIIbMB8bZREJA52a/O7VpuZ32IhmjP/RpuIRaO45PzXUxHpCEo+bIWrje32wzL
gishObIfrb236Q9RqZcfoIhvgdd3cLFpd8sedvftW75mo0I4m0KhdGn9YsnxVDSF
Ve7AuF8SeaTzFkCQJVsXSvzYxbQLggGdZLx4jtjEsawYVWquC8/bwls3QpzcPX7W
bwJfY3NrJjLMZUQQkpQsw3v7JYY6WTb18X8P1iTFBmu1nn8vqXnpjV7v+FBcpyES
V+lqp71K/Us5YZj8Y+bF+EjJo5ZRUY0L+2vltUeczlXhXDASwDMFpxcw4DyZEb3C
VuE1cY3BQ28=
=RnO9
-----END PGP SIGNATURE-----
--- End Message ---
