security issue in enigmail package (CAN-2005-3256)

Automatically imported from Debian bug report #335731 http://bugs.debian.org/335731

Message-Id: <E1EUSGL-0000zY-80@hanson>
Date: Tue, 25 Oct 2005 19:07:01 +0200
From: Alexander Sack <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: security issue in enigmail package (CAN-2005-3256)

--===============0626480308==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: enigmail
Version: 2:0.91-4
Severity: critical
Tags: security patch

If there is a key on your keyring, that has an empty UID (no name,
e-mail address, etc.), mail may be encrypted to that UID, although the
recipient was not choosen by the user. This may lead to disclosure of
confidential data to others.

This is CAN-2005-3256.

Patch received from upstream is attached.

 - asac

--===============0626480308==
Content-Type: text/x-c++; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="security-patch.txt"

--- /cygdrive/f/Enigmail/source/enigmail/src/ui/content/enigmailUserSelection.js 2005-06-01 17:08:40.578115200 +0200
+++ ./enigmailUserSelection.js 2005-09-08 07:18:44.896859200 +0200
@@ -154,6 +154,8 @@
      return r;
    }

+ var emptyUid = " -"; // replace with localizable string
+
    window.arguments[RESULT].cancelled=true;

    var secretOnly = (window.arguments[INPUT].options.indexOf("private")>= 0);
@@ -249,6 +251,9 @@
          aUserList.push(userObj);
          break;
        case "uid":
+ if (listRow[USER_ID].length == 0) {
+ listRow[USER_ID] = emptyUid;
+ }
          if (typeof(userObj.userId) != "string") {
            userObj.userId=EnigConvertGpgToUnicode(listRow[USER_ID].replace(/\\e3A/g, ":"));
          }
@@ -337,7 +342,7 @@
             escapedMailAddr=mailAddr.replace(escapeRegExp, "\\$1");
             s1=new RegExp("[, ]?"+escapedMailAddr+"[, ]","i");
             s2=new RegExp("[, ]"+escapedMailAddr+"[, ]?","i");
- if (invalidAddr.indexOf(" "+mailAddr+" ")<0) {
+ if ((mailAddr != emptyUid) && (invalidAddr.indexOf(" "+mailAddr+" ")<0)) {
               aValidUsers.push(mailAddr);
               aUserList[i].activeState =(toAddr.search(s1)>=0 || toAddr.search(s2)>=0) ? 1 : 0;
             }
@@ -368,7 +373,7 @@
                     escapedMailAddr=mailAddr.replace(escapeRegExp, "\\$1");
                     s1=new RegExp("[, ]?"+escapedMailAddr+"[, ]","i");
                     s2=new RegExp("[, ]"+escapedMailAddr+"[, ]?","i");
- if (toAddr.search(s1)>=0 || toAddr.search(s2)>=0) {
+ if ((mailAddr != emptyUid) && (toAddr.search(s1)>=0 || toAddr.search(s2)>=0)) {
                       aUserList[i].activeState = 1;
                     }
                   }

--===============0626480308==--

Message-Id: <email address hidden>
Date: Tue, 25 Oct 2005 16:31:40 -0700
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: severity of 335731 is grave

# Automatically generated email from bts, devscripts version 2.9.7
 # only a security hole for people who use it
severity 335731 grave

Already fixed in Ubuntu.

Message-ID: <email address hidden>
Date: Thu, 27 Oct 2005 20:31:43 +0200
From: Alexander Sack <email address hidden>
To: <email address hidden>
Subject: security issue is already fixed in unstable ... go to testing!

Version: 2:0.93-1

this issue is fixed in unstable, so let it in!

--
 GPG messages preferred. | .''`. ** Debian GNU/Linux **
 Alexander Sack | : :' : The universal
 <email address hidden> | `. `' Operating System
 http://www.jwsdot.com/ | `- http://www.debian.org/