Security update for enigmail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1708-1 Final 1 1 2018-06-15T15:04:01Z current 2018-06-15T15:04:01Z 2018-06-15T15:04:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for enigmail This update for enigmail fixes vulnerabilities that allowed spoofing of e-mail signatures: - CVE-2018-12019: signature spoofing via specially crafted OpenPGP user IDs (boo#1097525) - CVE-2018-12020: signature spoofing via diagnostic output of the original file name in GnuPG verbose mode (boo#1096745) This mitigation prevents CVE-2018-12020 from being exploited even if GnuPG is not patched. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00028.html E-Mail link for openSUSE-SU-2018:1708-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub for SUSE Linux Enterprise 12 enigmail-2.0.7-18.1 enigmail-2.0.7-18.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 12 The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. CVE-2018-12019 SUSE Package Hub for SUSE Linux Enterprise 12:enigmail-2.0.7-18.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00028.html https://www.suse.com/security/cve/CVE-2018-12019.html CVE-2018-12019 https://bugzilla.suse.com/1097525 SUSE Bug 1097525 mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. CVE-2018-12020 SUSE Package Hub for SUSE Linux Enterprise 12:enigmail-2.0.7-18.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00028.html https://www.suse.com/security/cve/CVE-2018-12020.html CVE-2018-12020 https://bugzilla.suse.com/1096745 SUSE Bug 1096745 https://bugzilla.suse.com/1101134 SUSE Bug 1101134