[Secure-testing-team] Bug#745556: kmail accepts invalid SMTP TLS certificate against user action
Rémi Denis-Courmont
courmisch at gmail.com
Tue Apr 22 19:33:28 UTC 2014
Package: kmail
Version: 4:4.11.5-1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
Configure an outgoing SMTP server with (Start)TLS in kmail. If the
server presents an invalid or self-signed certificate to the agent,
KDE will show a warning dialog offering three choices: details,
continue and cancel (not sure about translation from fr_FR locale).
The "details" button works as expected, showing certificate infos,
then returning to the previous dialog.
The "cancel" button has no effects other than to bring the same dialog
almost instantly back in an infinite loop.
The "continue" button yields another dialog letting the user choose how
long to accept the certificate, either forever, or only for the current
session. If the dialog is closed without answer, Kmail assumes forever.
At that point, the mail feeder will happily send user credentials over
to the untrusted server.
So basically, there are no ways to reject an invalid certificate, other
than to kill the mail feeder or take the system offline.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13.10-basile (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages kmail depends on:
ii kde-runtime 4:4.11.5-1
ii kdepim-runtime 4:4.11.5-1
ii kdepimlibs-kio-plugins 4:4.11.5-4+b1
ii libakonadi-calendar4 4:4.11.5-4+b1
ii libakonadi-contact4 4:4.11.5-4+b1
ii libakonadi-kde4 4:4.11.5-4+b1
ii libakonadi-kmime4 4:4.11.5-4+b1
ii libakonadiprotocolinternals1 1.11.0-1
ii libc6 2.18-4
ii libcalendarsupport4 4:4.11.5-1
ii libgcc1 1:4.9-20140411-2
ii libgpgme++2 4:4.11.5-4+b1
ii libgrantlee-core0 0.3.0-5
ii libincidenceeditorsng4 4:4.11.5-1
ii libkabc4 4:4.11.5-4+b1
ii libkalarmcal2 4:4.11.5-4+b1
ii libkcalcore4 4:4.11.5-4+b1
ii libkcalutils4 4:4.11.5-4+b1
ii libkcmutils4 4:4.11.5-3
ii libkdecore5 4:4.11.5-3
ii libkdepim4 4:4.11.5-1
ii libkdeui5 4:4.11.5-3
ii libkio5 4:4.11.5-3
ii libkleo4 4:4.11.5-1
ii libkmime4 4:4.11.5-4+b1
ii libknewstuff3-4 4:4.11.5-3
ii libknotifyconfig4 4:4.11.5-3
ii libkontactinterface4 4:4.11.5-4+b1
ii libkparts4 4:4.11.5-3
ii libkpgp4 4:4.11.5-1
ii libkpimidentities4 4:4.11.5-4+b1
ii libkpimtextedit4 4:4.11.5-4+b1
ii libkpimutils4 4:4.11.5-4+b1
ii libkprintutils4 4:4.11.5-3
ii libksieveui4 4:4.11.5-1
ii libktnef4 4:4.11.5-4+b1
ii libmailcommon4 4:4.11.5-1
ii libmailimporter4 4:4.11.5-1
ii libmailtransport4 4:4.11.5-4+b1
ii libmessagecomposer4 4:4.11.5-1
ii libmessagecore4 4:4.11.5-1
ii libmessagelist4 4:4.11.5-1
ii libmessageviewer4 4:4.11.5-1
ii libnepomukcore4 4:4.11.5-2+b1
ii libpimcommon4 4:4.11.5-1
ii libqt4-dbus 4:4.8.5+git242-g0315971+dfsg-2
ii libqt4-network 4:4.8.5+git242-g0315971+dfsg-2
ii libqt4-xml 4:4.8.5+git242-g0315971+dfsg-2
ii libqtcore4 4:4.8.5+git242-g0315971+dfsg-2
ii libqtgui4 4:4.8.5+git242-g0315971+dfsg-2
ii libqtwebkit4 2.2.1-7
ii libsendlater4 4:4.11.5-1
ii libsolid4 4:4.11.5-3
ii libsoprano4 2.9.4+dfsg-1
ii libstdc++6 4.9-20140411-2
ii libtemplateparser4 4:4.11.5-1
ii perl 5.18.2-2+b1
Versions of packages kmail recommends:
ii gnupg-agent 2.0.22-3
ii gnupg2 2.0.22-3
ii pinentry-qt4 [pinentry-x11] 0.8.3-2
Versions of packages kmail suggests:
pn clamav | f-prot-installer <none>
pn kaddressbook <none>
pn kleopatra <none>
pn procmail <none>
pn spamassassin | bogofilter | annoyance-filter | spambayes | bsfilter <none>
-- no debconf information
More information about the Secure-testing-team
mailing list