mailman-bug: Breaking signatures
Bernhard Reiter
bernhard@intevation.de
Wed Oct 1 19:51:03 2003
--so9zsI5B81VjUb/o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I've finally reproduced and reported that Mailman 2.1.x bug
that causes some signatures to break.
(Somebody said Ingo already nailed that bug, but I could
not find the Mailman bug report for it, so he might not have
reported it.)
On Tue, Sep 30, 2003 at 10:46:57AM -0700, SourceForge.net wrote:
> Bugs item #815297, was opened at 2003-09-30 19:42
> Message generated for change (Comment added) made by ber
> You can respond by visiting:=20
> https://sourceforge.net/tracker/?func=3Ddetail&atid=3D100103&aid=3D815297=
&group_id=3D103
>=20
> Initial Comment:
> Mailman _must_ not touch MIME-parts which are nested
> more deeply in the mail. As tested with Mailman 2.1.2,
> header lines will be sometimes reformatted in
> message/rfc822 attachments which will break the OpenPGP
> signature
> (also conforming to the PGP/MIME standard) on that part.
> This is an email security affecting bug, because if people=20
> start believing that a *BAD* signature does not mean much,
> because they get many broken by mailman, they will not
> react
> to a seriously manipulated email anymore!
--so9zsI5B81VjUb/o
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIG5zCC
A24wggLXoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAwPTELMAkGA1UEBhMCREUxGDAWBgNVBAoM
D0ludGV2YXRpb24gR21iSDEUMBIGA1UEAwwLV3VyemVsIFpTIDMwHhcNMDMwNjI4MTczMjAx
WhcNMDgwNjI3MTczMjAxWjA2MQswCQYDVQQGEwJERTEYMBYGA1UECgwPSW50ZXZhdGlvbiBH
bWJIMQ0wCwYDVQQDDARaUyA0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD43bxDYhcb
0rC4InYfDPX+TCd+TBVUfzCjsS4e6LS3Xmf3kC9W0LtcvBtYDhwU1pjYgAQUZy3qEOkicQcg
P6CzileDs9uzZ15n+Nd1Ye6gxAoEtxY4TDm9J1FsNRycuHPNvOVcF8X/TtWGG1Fw1H+w4RBN
UTvm6wKdRc+E1DXSlQIDAQABo4IBgzCCAX8wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMC
AQYwawYDVR0fBGQwYjBgoF6gXIZabGRhcDovL2NhLmludGV2YXRpb24ub3JnL2NuPVd1cnpl
bCBaUyAzLCBvPUludGV2YXRpb24gR21iSCwgYz1ERT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M
aXN0MB0GA1UdDgQWBBTpC2Y1APybXfobl6bvbeeiCAqfFjBlBgNVHSMEXjBcgBSg1pV9tld6
qf8t9ZykEbqfB+8Jz6FBpD8wPTELMAkGA1UEBhMCREUxGDAWBgNVBAoMD0ludGV2YXRpb24g
R21iSDEUMBIGA1UEAwwLV3VyemVsIFpTIDOCAQAwNQYDVR0RBC4wLIEQY2FAaW50ZXZhdGlv
bi5kZYYYaHR0cDovL2NhLmludGV2YXRpb24ubmV0MDUGA1UdEgQuMCyBEGNhQGludGV2YXRp
b24uZGWGGGh0dHA6Ly9jYS5pbnRldmF0aW9uLm5ldDANBgkqhkiG9w0BAQQFAAOBgQCnwZPG
bBIMrPLMXW3Z6w4JPiW/Crd8hR3He8BPY5N7u3ZRSo+mdkAzZ8YwfIJ9Fipjcl2IxQstvE38
NAWFdsogdTMOJODVdJpjFEVcVK/u8bZOKismP4eo8X9Y4m0p+WMCG7C6PNMM/+l/uawHwEbZ
s4Lp1leIeI8v2/QFP6nMWDCCA3EwggLaoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAwNjELMAkG
A1UEBhMCREUxGDAWBgNVBAoMD0ludGV2YXRpb24gR21iSDENMAsGA1UEAwwEWlMgNDAeFw0w
MzA2MzAxNjE3MzVaFw0wNTA2MjkxNjE3MzVaMEExCzAJBgNVBAYTAkRFMRgwFgYDVQQKEw9J
bnRldmF0aW9uIEdtYkgxGDAWBgNVBAMTD0Jlcm5oYXJkIFJlaXRlcjCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAxfEm4PybLti0jk+zmKPB+9Qu+nyjfsOf+VQ2/q5wPlGgQlAmA1xf
jfAWCfS7KR1i3BZmsx/HzW1dv1gNAVqYIk0V0Ls9TGJr8Z0IW1hR0UXY7qRCGAFJwiIKj0kw
JepMpH22K/jHjQcnRX8VOdBo8dXyJPQcWcHkj2W8vdonrzUCAwEAAaOCAYIwggF+MAwGA1Ud
EwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMGQGA1UdHwRdMFswWaBXoFWGU2xkYXA6Ly9jYS5p
bnRldmF0aW9uLm9yZy9jbj1aUyA0LCBvPUludGV2YXRpb24gR21iSCwgYz1ERT9jZXJ0aWZp
Y2F0ZVJldm9jYXRpb25MaXN0ME8GCWCGSAGG+EIBDQRCFkBFLU1haWwgQ2VydGlmaWNhdGVz
IGZvciBJbnRldmF0aW9uIGFuZCBmcmllbmRzIChub24tcHJvZHVjdGlvbikuMB0GA1UdDgQW
BBSkusKJJedJL1PF+eXAiDJj6tJ9sDBlBgNVHSMEXjBcgBTpC2Y1APybXfobl6bvbeeiCAqf
FqFBpD8wPTELMAkGA1UEBhMCREUxGDAWBgNVBAoMD0ludGV2YXRpb24gR21iSDEUMBIGA1UE
AwwLV3VyemVsIFpTIDOCAQEwIQYDVR0RBBowGIEWYmVybmhhcmRAaW50ZXZhdGlvbi5kZTAN
BgkqhkiG9w0BAQQFAAOBgQAd4yqTmH1n1flB/7NtXTlYh5nlx/dS6qALdMLB0ZdSuPKsarge
b+Nb7VQ2uL8+N9c1N2unMn6mTeNtrXx98/gkGgQlLAyfEZ7JRX2y28zFpAM/n1nay//M6Q+n
UC28QwvfaxzPsIZo3t5+wC1RZcRndCOlBMSbmpmHwcf72Log7TGCATwwggE4AgEBMDswNjEL
MAkGA1UEBhMCREUxGDAWBgNVBAoMD0ludGV2YXRpb24gR21iSDENMAsGA1UEAwwEWlMgNAIB
ATAHBgUrDgMCGqBdMCMGCSqGSIb3DQEJBDEWBBRvmxK2A0V11nM0N6hKuoFll7s3ETAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzEwMDExNzI0NDJaMAsG
CSqGSIb3DQEBAQSBgL9J9RILYoNhwrvXTkMk4VDSfw5aWbMpkvITRbC6KzD4vVJMHbiWtZ/K
hHfcpMRgokYXDxlAAHce96F0EyMhLz/Ewz7Bdf09epN6CyBRQnd4FUy0j9wM7HMqLs/F3yDP
FsKAyAll0eOpQfLkDAJaP+eeak3GbsLuEi99IOH1Ko25AAAAAAAA
--so9zsI5B81VjUb/o--