Re: [Security Patch] fix “Johnny you are fired” vulnerabilities

From: Peter Bloomfield <Peterbloomfield bellsouth net>
To: balsa-list gnome org
Subject: Re: [Security Patch] fix “Johnny you are fired” vulnerabilities
Date: Sun, 12 May 2019 18:43:53 -0400

Hi Albrecht:

On 05/12/2019 08:56:42 AM Sun, Albrecht Dreß wrote:

Hi all,

attached is a larger patch which fixes Balsa's vulnerabilities regarding the “Johnny you are fired” [1]
issues:

CMS Attack Class C2:
Multiple signatures are classified and reported as possible attack, i.e. instead of perfect forgery, Balsa is
not vulnerable any more.

ID Attack Class I1, I2 and I3:
Balsa now prints the uid of the signers key (in the S/MIME case only CN and EMAIL components, or the full uid
if both are missing) in the headers section which cannot be controlled by an attacker. We don't cross-check
the uid against the From: and/or Sender: address, as spoofing them is trivial, and might lead to false
positives e.g. for messages distributed by mailing lists.
The display of the invalid “from is sender . <signer>” and “from is sender <signer>” headers is exactly what
GMime produces. This seems to be a flaw in gmime 2.6, as gmime 3.2 correctly indicates that they are broken. IOW, for
the time being, it is not possible to fix this behaviour easily.
Although the latter is not optimal, IMO Balsa is not vulnerable any more, instead of a partial forgery.

MIME Attack Class M3 (inline PGP only) and M4 (inline PGP only):
The confusing valid signature info has been removed from the headers section. Balsa is not vulnerable any
more, instead of a weak forgery.

I also fixed some glitches in printing PGP inline or PGP/MIME and S/MIME combined singed and encrypted
messages where the frame was missing. This lead to a slightly more extensive refactoring of src/print-gtk.c.
I also renamed the (for me) ugly sounding “Signed matter”, “Encrypted matter” and “Signed and encrypted
matter” phrases (I invented them years ago, IIRC…) to just “Signed”, “Encrypted” and “Signed and encrypted” –
native speakers, please check if this is correct, or replace them by better phrases!

As always, any comment will be welcome!

Cheers,
Albrecht.

[1] <https://mail.gnome.org/archives/balsa-list/2019-May/msg00000.html>


Thanks, as always, for the patch! No issues there for me😎️  Pushed to master at GitLab.

Best,

Peter

Attachment: pgpLUsPan0rtA.pgp
Description: PGP signature

References:
- [Security Patch] fix “Johnny you are fired” vulnerabilities
  - From: Albrecht Dreß

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]