[Secure-testing-team] Bug#508479: evolution shows a SMIME signed messages as ok even if modified
Joachim Breitner
nomeata at debian.org
Thu Dec 11 17:41:30 UTC 2008
Package: evolution
Version: 2.22.3.1-1
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
please consider raising the Severity if appropriate.
Attached are two very minimal test mails. you can drag’n’drop them in
evolution. The (self-signed) key.pem contains a certificate, you can
import it a signing authority.
Both messages will be shown as correctly verfied, although one is just a
copy of the other, with the body modified.
Obviously, this is a serious security problem.
Thanks,
Joachim
- -- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-486
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages evolution depends on:
ii dbus 1.2.1-4 simple interprocess messaging syst
ii evolution-common 2.22.3.1-1 architecture independent files for
ii evolution-data-server 2.22.3-1.1 evolution database backend server
ii gconf2 2.22.0-1 GNOME configuration database syste
ii gnome-icon-theme 2.22.0-1 GNOME Desktop icon theme
ii gtkhtml3.14 3.18.3-1 HTML rendering/editing library - b
ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi
ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit
ii libbluetooth2 3.36-1 Library to use the BlueZ Linux Blu
ii libbonobo2-0 2.22.0-1 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.22.0-1 The Bonobo UI library
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libcairo2 1.8.4-1 The Cairo 2D vector graphics libra
ii libcamel1.2-11 2.22.3-1.1 The Evolution MIME message handlin
ii libdbus-1-3 1.2.1-4 simple interprocess messaging syst
ii libdbus-glib-1-2 0.76-1 simple interprocess messaging syst
ii libebook1.2-9 2.22.3-1.1 Client library for evolution addre
ii libecal1.2-7 2.22.3-1.1 Client library for evolution calen
ii libedataserver1.2-9 2.22.3-1.1 Utility library for evolution data
ii libedataserverui1.2-8 2.22.3-1.1 GUI utility library for evolution
ii libegroupwise1.2-13 2.22.3-1.1 Client library for accessing group
ii libexchange-storage1.2 2.22.3-1.1 Client library for accessing Excha
ii libfontconfig1 2.6.0-3 generic font configuration library
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libgconf2-4 2.22.0-1 GNOME configuration database syste
ii libglade2-0 1:2.6.3-1 library to load .glade files at ru
ii libglib2.0-0 2.17.6-1 The GLib library of C routines
ii libgnome-pilot2 2.0.15-2.4 Support libraries for gnome-pilot
ii libgnome2-0 2.20.1.1-2 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.20.1.1-1 A powerful object-oriented display
ii libgnomeui-0 2.20.1.1-2 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 1:2.22.0-5 GNOME Virtual File System (runtime
ii libgtk2.0-0 2.12.11-4 The GTK+ graphical user interface
ii libgtkhtml3.14-19 3.18.3-1 HTML rendering/editing library - r
ii libhal1 0.5.11-6 Hardware Abstraction Layer - share
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libnm-glib0 0.6.6-2 network management framework (GLib
ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n
ii libnspr4-0d 4.7.1-4 NetScape Portable Runtime Library
ii libnss3-1d 3.12.0-5 Network Security Service libraries
ii liborbit2 1:2.14.16-0.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.22.3-1 Layout and rendering of internatio
ii libpisock9 0.12.3-5 library for communicating with a P
ii libpisync1 0.12.3-5 synchronization library for PalmOS
ii libpixman-1-0 0.12.0-1 pixel-manipulation library for X a
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libsm6 2:1.0.3-2 X11 Session Management library
ii libsoup2.4-1 2.4.1-2 an HTTP library implementation in
ii libusb-0.1-4 2:0.1.12-13 userspace USB programming library
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxcb-render-util0 0.2.1+git1-1 utility libraries for X C Binding
ii libxcb-render0 1.1-1.1 X C Binding, render extension
ii libxcb1 1.1-1.1 X C Binding
ii libxcursor1 1:1.1.9-1 X cursor management library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.3-2 X11 miscellaneous 'fixes' extensio
ii libxi6 2:1.1.4-1 X11 Input extension library
ii libxinerama1 2:1.0.3-2 X11 Xinerama extension library
ii libxml2 2.6.32.dfsg-5 GNOME XML library
ii libxrandr2 2:1.2.3-1 X11 RandR extension library
ii libxrender1 1:0.9.4-2 X Rendering Extension client libra
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages evolution recommends:
pn bogofilter | spamassassin <none> (no description available)
ii evolution-plugins 2.22.3.1-1 standard plugins for Evolution
pn evolution-webcal <none> (no description available)
ii gnome-desktop-data 2.22.3-2 Common files for GNOME 2 desktop a
pn gnome-pilot-conduits <none> (no description available)
ii yelp 2.22.1-8+b1 Help browser for GNOME 2
Versions of packages evolution suggests:
ii bug-buddy 2.22.0+dfsg-3 GNOME Desktop Environment bug repo
pn evolution-dbg <none> (no description available)
pn evolution-exchange <none> (no description available)
pn evolution-plugins-experime <none> (no description available)
ii gnome-spell 1.0.7-1 GNOME/Bonobo component for spell c
ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep
pn network-manager <none> (no description available)
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklBUMcACgkQ9ijrk0dDIGxh3ACeMaWboLHo3fpTp3qGKNkv6ZFY
agQAn0dutzABqF1A6oVoDaSLIj2hDhFC
=QbCj
-----END PGP SIGNATURE-----
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIJALm/ktfTThI6MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMDgwODIxMTAyMTMzWhcNMDkwODIxMTAyMTMzWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDUP+IQ3dUBmUUmae9M46UtYRLG71m/lanfHGwG48EmKYvcFeV4RaKBMaPlwTQB
DxG22DbuTShiXMu75xJEuXzgO112NvHBm802v3w27ZRYfjk1qJur3xMA02kPNfrS
dlNITmoJoqXwXXFXSjreffaUROEhTfqjxqEuplqSPAI1dQIDAQABo4GnMIGkMB0G
A1UdDgQWBBTsfAPTeiG2FVsdv6P/Qs06Qhxa6zB1BgNVHSMEbjBsgBTsfAPTeiG2
FVsdv6P/Qs06Qhxa66FJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALm/ktfT
ThI6MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAhBjp1EJjAB9MWR28
+kkcWTIErR+CsNQaSj0QIC4+klPegP8xP65qYbEaNTKI3n0Hlu7YhNAbmSb/0YFE
wKM+t4jd57HHAL/mDjkyqsIr/RW6RmXzMj5KfJ667WuSfkO177YcaaLb/GYr+WMo
1CjUH+ukSgYogpvplTnNtgKGtTc=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDUP+IQ3dUBmUUmae9M46UtYRLG71m/lanfHGwG48EmKYvcFeV4
RaKBMaPlwTQBDxG22DbuTShiXMu75xJEuXzgO112NvHBm802v3w27ZRYfjk1qJur
3xMA02kPNfrSdlNITmoJoqXwXXFXSjreffaUROEhTfqjxqEuplqSPAI1dQIDAQAB
AoGBALcu03tfGWGh2K6Iq0GfD4YUy9Hp7XmOP+gRbaKcmqzHGrA+LagZ4WDDaQL4
Nlvbl5xJC0+sQ/hwwl1P1tJ9jCmfhnbvZGYvuPVqNGtZC6M/pg0MewYZ3hYqqvpe
lMcw+/bnrjIV55t3Uuuu7nipGhUWilA6j4jdIeDVfBh6PLFBAkEA+YsmO5SWqgwj
TN/qZ9NWUsNvN25Z/CJBfeKcBYUgW6fwUyh31bLWXymURnibSFaPZEHoJo5ERAt9
QcO5QtyYvQJBANm9t45BBJTUgWgC6iEnig/T0orP35CHsIfXFKJK7Q1NpZOyNG25
TFhtdXd89lCGOE7jIxTLnKdHOvDvv19kpxkCQFT+si0E9TRCIhvjAIIQl4xlCJKG
wZuBR3FLJ/0xVM4jK1YHqJle6mlLTjeaiLlg0kJBuIK5XkMW7rjho05EuLkCQQC7
yUPqGqbh2Jg2ZPUZXOlUFyIod3jfRDb6IIN6KFZjN8kKJRHUY4+1X8mEILCp5+fe
GURjJetX1TW/H3WTxtHZAkACRvJEDDN6CtR+w9IZEDUIEn4/shSiTvbvc/cajMnE
kuRde1qLozzWb2NArz5QSrK9+l7CYbF5TERXIdTcKnX8
-----END RSA PRIVATE KEY-----
-------------- next part --------------
>From me at her
From: me at hier
To: you at there
Subject: test
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----592BC18E2E1548F0257E2BFC67A543F8"
This is an S/MIME signed message
------592BC18E2E1548F0257E2BFC67A543F8
Content-type: text/plain
This is the body
------592BC18E2E1548F0257E2BFC67A543F8
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIEygYJKoZIhvcNAQcCoIIEuzCCBLcCAQExCzAJBgUrDgMCGgUAMD0GCSqGSIb3
DQEHAaAwBC5Db250ZW50LXR5cGU6IHRleHQvcGxhaW4NCg0KVGhpcyBpcyB0aGUg
Ym9keQ0KoIICtDCCArAwggIZoAMCAQICCQC5v5LX004SOjANBgkqhkiG9w0BAQUF
ADBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMY
SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTA4MDgyMTEwMjEzM1oXDTA5MDgy
MTEwMjEzM1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAf
BgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA1D/iEN3VAZlFJmnvTOOlLWESxu9Zv5Wp3xxsBuPBJimL3BXl
eEWigTGj5cE0AQ8Rttg27k0oYlzLu+cSRLl84DtddjbxwZvNNr98Nu2UWH45Naib
q98TANNpDzX60nZTSE5qCaKl8F1xV0o63n32lEThIU36o8ahLqZakjwCNXUCAwEA
AaOBpzCBpDAdBgNVHQ4EFgQU7HwD03ohthVbHb+j/0LNOkIcWuswdQYDVR0jBG4w
bIAU7HwD03ohthVbHb+j/0LNOkIcWuuhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYD
VQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
dGSCCQC5v5LX004SOjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAIQY
6dRCYwAfTFkdvPpJHFkyBK0fgrDUGko9ECAuPpJT3oD/MT+uamGxGjUyiN59B5bu
2ITQG5km/9GBRMCjPreI3eexxwC/5g45MqrCK/0VukZl8zI+Snyeuu1rkn5Dte+2
HGmi2/xmK/ljKNQo1B/rpEoGKIKb6ZU5zbYChrU3MYIBrDCCAagCAQEwUjBFMQsw
CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
ZXQgV2lkZ2l0cyBQdHkgTHRkAgkAub+S19NOEjowCQYFKw4DAhoFAKCBsTAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wODEyMTExNzM0
MDBaMCMGCSqGSIb3DQEJBDEWBBQa9eNqWrao9GXK2DxxjVBdwtFtyDBSBgkqhkiG
9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgDrM
SNDNcfWN4wgcmAVBgRtT0h4PyK06nSYXVNxx84nltU/LdeJdJassOcwYzIsMTRah
LdwclONqDwnkKppOtiKCZG7i/FhDnQnrkPmEupAd93rkyNYv7wtDG+gVJoClFB13
o1rMjfYH/huHrVkhfhTU2Gmrkx9iyLLDExJYpLvj
------592BC18E2E1548F0257E2BFC67A543F8--
-------------- next part --------------
>From me at her
From: me at hier
To: you at there
Subject: test
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----592BC18E2E1548F0257E2BFC67A543F8"
This is an S/MIME signed message
------592BC18E2E1548F0257E2BFC67A543F8
Content-type: text/plain
This is the modified body
------592BC18E2E1548F0257E2BFC67A543F8
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIEygYJKoZIhvcNAQcCoIIEuzCCBLcCAQExCzAJBgUrDgMCGgUAMD0GCSqGSIb3
DQEHAaAwBC5Db250ZW50LXR5cGU6IHRleHQvcGxhaW4NCg0KVGhpcyBpcyB0aGUg
Ym9keQ0KoIICtDCCArAwggIZoAMCAQICCQC5v5LX004SOjANBgkqhkiG9w0BAQUF
ADBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMY
SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTA4MDgyMTEwMjEzM1oXDTA5MDgy
MTEwMjEzM1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAf
BgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA1D/iEN3VAZlFJmnvTOOlLWESxu9Zv5Wp3xxsBuPBJimL3BXl
eEWigTGj5cE0AQ8Rttg27k0oYlzLu+cSRLl84DtddjbxwZvNNr98Nu2UWH45Naib
q98TANNpDzX60nZTSE5qCaKl8F1xV0o63n32lEThIU36o8ahLqZakjwCNXUCAwEA
AaOBpzCBpDAdBgNVHQ4EFgQU7HwD03ohthVbHb+j/0LNOkIcWuswdQYDVR0jBG4w
bIAU7HwD03ohthVbHb+j/0LNOkIcWuuhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYD
VQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
dGSCCQC5v5LX004SOjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAIQY
6dRCYwAfTFkdvPpJHFkyBK0fgrDUGko9ECAuPpJT3oD/MT+uamGxGjUyiN59B5bu
2ITQG5km/9GBRMCjPreI3eexxwC/5g45MqrCK/0VukZl8zI+Snyeuu1rkn5Dte+2
HGmi2/xmK/ljKNQo1B/rpEoGKIKb6ZU5zbYChrU3MYIBrDCCAagCAQEwUjBFMQsw
CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
ZXQgV2lkZ2l0cyBQdHkgTHRkAgkAub+S19NOEjowCQYFKw4DAhoFAKCBsTAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wODEyMTExNzM0
MDBaMCMGCSqGSIb3DQEJBDEWBBQa9eNqWrao9GXK2DxxjVBdwtFtyDBSBgkqhkiG
9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgDrM
SNDNcfWN4wgcmAVBgRtT0h4PyK06nSYXVNxx84nltU/LdeJdJassOcwYzIsMTRah
LdwclONqDwnkKppOtiKCZG7i/FhDnQnrkPmEupAd93rkyNYv7wtDG+gVJoClFB13
o1rMjfYH/huHrVkhfhTU2Gmrkx9iyLLDExJYpLvj
------592BC18E2E1548F0257E2BFC67A543F8--
More information about the Secure-testing-team
mailing list