[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Requesting a CVE id for =?iso-8859-1?Q?Trojit=E1,_an_e-mail_client:_Improper_Certific
From:       Jan_Kundrát <jkt () kde ! org>
Date:       2020-06-25 10:05:03
Message-ID: 96bf2c19-1a4d-494a-a643-a7501a22fc67 () kde ! org
[Download RAW message or body]

Hi folks, I would appreciate a Cc on responses as I'm not subscribed to 
this list. I would like to request a CVE for the following vulnerability:

Summary
-------

Damian Poddebniak discovered a TLS verification failure (CWE-295) in 
Trojitá [1], a fast Qt IMAP e-mail client. When sending e-mails over SMTP, 
all TLS errors were ignored.

Background
----------

Trojita first gained support for SMTP submission in patch 0083eea5ed [2]. 
Since that commit (May 2009), there's been a FIXME comment in the code that 
SSL errors should be handled properly. Unfortunately, this issue kept 
falling through the cracks and we never re-enabled TLS validation as the 
SMTP backend matured. As a result, outgoing SMTP connections were 
suspectible to a MITM attack, with authentication details including 
passwords and the message content potentially available to attackers.

IMAP connections are not suspectible to this bug.

Affected versions
-----------------

All versions of Trojita up to and including v0.7 are affected. The fix [3] 
will be included in version v0.8 which will be released once the CVE gets 
assigned.

Acknowledgement
---------------

Thanks to Damian Poddebniak for reporting [4] this bug.

[1] http://trojita.flaska.net/
[2] https://invent.kde.org/pim/trojita/-/commit/0083eea5ed
[3] https://gerrit.vesnicky.cesnet.cz/r/1035
[4] https://bugs.kde.org/show_bug.cgi?id=423453

With kind regards,
Jan

-- 
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/
[prev in list] [next in list] [prev in thread] [next in thread]