CVE-2019-14664
https://notcve.org/view.php?id=CVE-2019-14664
In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mechanisms implemented after the "EFAIL" attacks. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVNTEF3WSOOQYKMIPEH7F77UPXES5BU5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CYWBJHSBBLAHKMRWDWH2XXQDYAGDHB5I https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GHC5WDQ47FQSL5CTGQUYIHVC3RNZ7UH5 https://sourceforge.net/p/enigmail/bugs/984 https://www.enigmail.net/index.php/en/download/changelog • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2019-12269
https://notcve.org/view.php?id=CVE-2019-12269
Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PGP message, an attacker can cause the product to display a "correctly signed" message indication, but display different unauthenticated text. Enigmail anterior a 2.0.11 permite la signature spoofing PGP: para un mensaje PGP en línea, un atacante puede lograr que el producto muestre una mensaje indicativo "correctly signed", pero muestra un texto distinto no autenticado. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00061.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVNTEF3WSOOQYKMIPEH7F77UPXES5BU5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CYWBJHSBBLAHKMRWDWH2XXQDYAGDHB5I https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GHC5WDQ47FQSL5CTGQUYIHVC3RNZ7UH5 https://sourceforge.net/p/enigmail/bugs/983 https://www.enigmail.net/index.php/en/download • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2018-15586 – Johnny You Are Fired
https://notcve.org/view.php?id=CVE-2018-15586
Enigmail before 2.0.6 is prone to to OpenPGP signatures being spoofed for arbitrary messages using a PGP/INLINE signature wrapped within a specially crafted multipart HTML email. Enigmail, en versiones anteriores a la 2.0.6, es propenso a la suplantación de firmas OpenPGP para mensajes arbitrarios mediante una firma PGP/INLINE envuelta en un correo HTML multiparte especialmente manipulado. • http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html http://seclists.org/fulldisclosure/2019/Apr/38 http://www.openwall.com/lists/oss-security/2019/04/30/4 https://github.com/RUB-NDS/Johnny-You-Are-Fired https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf https://sourceforge.net/p/enigmail/bugs/849 • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2018-12019 – Johnny You Are Fired
https://notcve.org/view.php?id=CVE-2018-12019
The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. La rutina de verificación de firmas en Enigmail en versiones anteriores a la 2.0.7 interpreta los ID de usuario como mensajes de estado/control y no mantiene correctamente el control sobre el estado de múltiples firmas. Esto permite que atacantes remotos suplanten firmas de email arbitrarias mediante claves públicas que contienen ID de usuario primario manipulados. • http://openwall.com/lists/oss-security/2018/06/13/10 http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html http://seclists.org/fulldisclosure/2019/Apr/38 http://www.openwall.com/lists/oss-security/2019/04/30/4 https://github.com/RUB-NDS/Johnny-You-Are-Fired https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf https://www.enigmail.net/index.php/en/download/changelog • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2017-17843
https://notcve.org/view.php?id=CVE-2017-17843
An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002. Se ha descubierto un problema en Enigmail, en versiones anteriores a la 1.9.9, que permite que atacantes remotos activen el uso de una clave pública planeada para el cifrado, debido a que se utilizan expresiones regulares incorrectas para la extracción de una dirección de email de una lista separada por comas. Esto se ha demostrado por el campo Full Name modificado y un ataque homógrafo, también conocido como TBE-01-002. • https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html https://lists.debian.org/debian-security-announce/2017/msg00333.html https://www.debian.org/security/2017/dsa-4070 https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html •