The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Enigmail: encryption for an unspecified recipient

Synthesis of the vulnerability

When user keyring contains a key with an empty uid, this key is selected to encrypt the message.
Severity of this computer vulnerability: 3/4.
Creation date: 13/09/2005.
Références of this announce: BID-15155, CVE-2005-3256, DSA-889-1, MDKSA-2005:226, SUSE-SR:2005:028, VIGILANCE-VUL-5194, VU#805121.

Description of the vulnerability

Enigmail extension signs and encrypts emails with GnuPG.

User keyring contains publics keys for other users. When user encrypts a message, a dialog box may appear asking him to select recipient keys.

However, if a key has an empty uid field, it is selected by default. User may not see it has been selected if his keyring contains many keys.

An attacker can therefore convince user to add a key in his keyring, then capture sent messages in order to decrypt them.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness bulletin impacts software or systems such as Debian, Mandriva Linux, Mozilla Suite, Thunderbird, openSUSE.

Our Vigil@nce team determined that the severity of this computer threat announce is important.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this threat announce.

Solutions for this threat

Debian: new enigmail packages.
New packages are available:
  Intel IA-32 architecture:
    http://security.debian.org/pool/updates/main/e/enigmail/mozilla-enigmail_0.91-4sarge2_i386.deb
      Size/MD5 checksum: 298752 1ab5eee62ddb846a74441bc50d0120cf
    http://security.debian.org/pool/updates/main/e/enigmail/mozilla-thunderbird-enigmail_0.91-4sarge2_i386.deb
      Size/MD5 checksum: 304076 eb8586436db24bf342f69b1d3996c37e
  Intel IA-64 architecture:
    http://security.debian.org/pool/updates/main/e/enigmail/mozilla-enigmail_0.91-4sarge2_ia64.deb
      Size/MD5 checksum: 360432 cff589e212e6852048c65121be50e06c
    http://security.debian.org/pool/updates/main/e/enigmail/mozilla-thunderbird-enigmail_0.91-4sarge2_ia64.deb
      Size/MD5 checksum: 365434 f5571495756e2b8a72bf609bf2e73824

Enigmail: version 0.92.1.
Version 0.92.1 is corrected:
  http://enigmail.mozdev.org/download.html

Mandriva: new mozilla-thunderbird packages.
New packages are available:
 Mandriva Linux 2006.0:
 a76040e992150836998fc822a99b7624 2006.0/RPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.i586.rpm
 591b78809b7425ece0f63f96b65d2d2b 2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.2.20060mdk.i586.rpm
 72f81a292f80666ac90f6b4d6da8a694 2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.2.20060mdk.i586.rpm
 5b45958f898c7a0da52227b1b7791eb8 2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.src.rpm
 Mandriva Linux 2006.0/X86_64:
 7732c8c52831cdc49dcad7f27bf02ff7 x86_64/2006.0/RPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.x86_64.rpm
 63d0f9a9e474b6cf8259ee0e3e867c54 x86_64/2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.2.20060mdk.x86_64.rpm
 3440b4677c7938a8d948d1f20b97ec33 x86_64/2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.2.20060mdk.x86_64.rpm
 5b45958f898c7a0da52227b1b7791eb8 x86_64/2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.src.rpm
 Corporate 3.0:
 fb13fdba83a8fb58fa7be5f879387776 corporate/3.0/RPMS/libnspr4-1.7.8-0.4.C30mdk.i586.rpm
 d2c026c3005bb117b168fa710b6707eb corporate/3.0/RPMS/libnspr4-devel-1.7.8-0.4.C30mdk.i586.rpm
 00fe306b2e32a43b668855ac07a7bc3a corporate/3.0/RPMS/libnss3-1.7.8-0.4.C30mdk.i586.rpm
 a1f58fd330e354d64098584a21075683 corporate/3.0/RPMS/libnss3-devel-1.7.8-0.4.C30mdk.i586.rpm
 ed922dcfda867e3e6aae232358e410d9 corporate/3.0/RPMS/mozilla-1.7.8-0.4.C30mdk.i586.rpm
 9af2dc6b388b787fa489dd6d50fd85e5 corporate/3.0/RPMS/mozilla-devel-1.7.8-0.4.C30mdk.i586.rpm
 f8b427e76177e505f4c461c36c58a6f4 corporate/3.0/RPMS/mozilla-dom-inspector-1.7.8-0.4.C30mdk.i586.rpm
 35ce2664bb8516b0adeb0bcf23814ffa corporate/3.0/RPMS/mozilla-enigmail-1.7.8-0.4.C30mdk.i586.rpm
 f794287f76a7aa84f8ab26a5f9e1390d corporate/3.0/RPMS/mozilla-enigmime-1.7.8-0.4.C30mdk.i586.rpm
 886465435f0c81de9888a406ecfaf731 corporate/3.0/RPMS/mozilla-irc-1.7.8-0.4.C30mdk.i586.rpm
 7852834c9f2b9b95d39abe8751d3849b corporate/3.0/RPMS/mozilla-js-debugger-1.7.8-0.4.C30mdk.i586.rpm
 42968285510df5716902b6566c8fc9fc corporate/3.0/RPMS/mozilla-mail-1.7.8-0.4.C30mdk.i586.rpm
 72ce466eed134f651d10ea9120d21f53 corporate/3.0/RPMS/mozilla-spellchecker-1.7.8-0.4.C30mdk.i586.rpm
 99c49b1370c18c2fa14c9f20b04e148d corporate/3.0/SRPMS/mozilla-1.7.8-0.4.C30mdk.src.rpm
 Corporate 3.0/X86_64:
 6642da49a0bdbec886a932fdab4d41e5 x86_64/corporate/3.0/RPMS/lib64nspr4-1.7.8-0.4.C30mdk.x86_64.rpm
 065391d250b7ceb31c01f12386cf3a04 x86_64/corporate/3.0/RPMS/lib64nspr4-devel-1.7.8-0.4.C30mdk.x86_64.rpm
 07cf6b5f1d4ce2212b76fc265aace41a x86_64/corporate/3.0/RPMS/lib64nss3-1.7.8-0.4.C30mdk.x86_64.rpm
 e65788bcc7d582095b30a87431947a8f x86_64/corporate/3.0/RPMS/lib64nss3-devel-1.7.8-0.4.C30mdk.x86_64.rpm
 a855523066d7b231da9ed889a995ad1a x86_64/corporate/3.0/RPMS/mozilla-1.7.8-0.4.C30mdk.x86_64.rpm
 7b894f998bd344841c861387be21c2b3 x86_64/corporate/3.0/RPMS/mozilla-devel-1.7.8-0.4.C30mdk.x86_64.rpm
 7b5fc684552363acea77ab8f344d38f5 x86_64/corporate/3.0/RPMS/mozilla-dom-inspector-1.7.8-0.4.C30mdk.x86_64.rpm
 4e969e057bcdc0f763e269cbbfcd0fb9 x86_64/corporate/3.0/RPMS/mozilla-enigmail-1.7.8-0.4.C30mdk.x86_64.rpm
 c84f31cefbbe5a92c1f1e6105a184fe8 x86_64/corporate/3.0/RPMS/mozilla-enigmime-1.7.8-0.4.C30mdk.x86_64.rpm
 28791c7db8d3d9802e8198dc599fad87 x86_64/corporate/3.0/RPMS/mozilla-irc-1.7.8-0.4.C30mdk.x86_64.rpm
 0308af9d9050d5cdeafd0a9baac05d48 x86_64/corporate/3.0/RPMS/mozilla-js-debugger-1.7.8-0.4.C30mdk.x86_64.rpm
 a993afbf2ed3e7d17734631b2ccee05c x86_64/corporate/3.0/RPMS/mozilla-mail-1.7.8-0.4.C30mdk.x86_64.rpm
 86f109cecac0a9de786f88d9400b0cf5 x86_64/corporate/3.0/RPMS/mozilla-spellchecker-1.7.8-0.4.C30mdk.x86_64.rpm
 99c49b1370c18c2fa14c9f20b04e148d x86_64/corporate/3.0/SRPMS/mozilla-1.7.8-0.4.C30mdk.src.rpm

SUSE: new netpbm, opera, inkscape, apache2, mozilla-mail, sylpheed-claws, phpMyAdmin, gnump3d, squid, php4, php5 packages.
New packages are available with FTP or YaST.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a systems vulnerabilities note. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.