SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Enigmail Vendors:   enigmail.mozdev.org
Enigmail May Select the Incorrect Key For Mail Encryption
SecurityTracker Alert ID:  1014891
SecurityTracker URL:  http://securitytracker.com/id/1014891
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 13 2005
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.92.1
Description:   A vulnerability was reported in Enigmail. A remote user may be able to gain access to potentially sensitive information in certain cases.

A remote user can create a specially crafted key with an 'empty UID' value that, when imported by the target user into the target user's keyring, will exploit a flaw in the Enigmail extension for Mozilla and Thunderbird. The target user's mail client may encrypt mail to that key even though the key was not selected by the target user when encrypting the mail.

The target user may have to assign trust to the key before the exploit can work properly.

Hadmut Danisch is credited with reporting this vulnerability.

The original advisory is available at:

http://www.dfn-cert.de/infoserv/dsb/dsb-2005-01.html

Impact:   In certain user-complicit cases, a remote user may be able to gain access to potentially sensitive information.
Solution:   The vendor has issued a fixed version (0.92.1), available at:

http://enigmail.mozdev.org/download.html

Vendor URL:  enigmail.mozdev.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC