Bug ID 1159973
Summary VUL-0: enigmail: Unsigned MIME parts displayed as signed
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.1
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee martin.sirringhaus@suse.com
Reporter Andreas.Stieger@gmx.de
QA Contact security-team@suse.de
CC martin.sirringhaus@suse.com, wolfgang@rosenauer.org
Found By Community User
Blocker --- 

Using Content-Type = multipart/alternative, it is possible to trick Enigmail
into displaying a valid signature status for a MIME part that is actually not
signed.

Such messages have the following structrure (or similar):

multipart/alternative
|- multipart/signed
|  |- text/plain
|
|- text/html


Fixed in 2.1.5.



Reproducer:
https://sourceforge.net/p/enigmail/bugs/1044/attachment/Sample%20Message.eml
https://sourceforge.net/p/enigmail/bugs/_discuss/thread/90e18ceedb/e1d4/attachment/Pubkey.asc

References:
https://sourceforge.net/p/enigmail/bugs/1044/

You are receiving this mail because: