mailman-bug: Breaking signatures

Bernhard Reiter bernhard at intevation.de
Tue Apr 13 12:47:23 CEST 2004 

On Thu, Jan 08, 2004 at 03:11:45PM +0100, Bernhard Reiter wrote:
> Is there nobody out there that could help to fix
> this Mailman 2.1.x bug or raise awareness for this bug?

I have created a patch, also to be found at:
	ftp.intevation.de/users/bernhard/mailman

Mailman might still break signatures if text/html parts are filtered out.
At least this is what I expect, but did not test.

> Gpa-dev also runs it and signatures will not be worth much,
> if we don't consider mail transport systems that break them
> a real security problem. People will learn that if a mail was
> manipulated, the mailsystem will be the most likely cause.
> So in practice a really manipulated email will go unnoticed
> with a lot higher chance.

> On Wed, Oct 01, 2003 at 07:24:46PM +0200, Bernhard Reiter wrote:
> > I've finally reproduced and reported that Mailman 2.1.x bug
> > that causes some signatures to break.
> > 
> > (Somebody said Ingo already nailed that bug, but I could
> > not find the Mailman bug report for it, so he might not have
> > reported it.)
> > 
> > On Tue, Sep 30, 2003 at 10:46:57AM -0700, SourceForge.net wrote:
> > > Bugs item #815297, was opened at 2003-09-30 19:42
> > > Message generated for change (Comment added) made by ber
> > > You can respond by visiting: 
> > > https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_id=103
> > > 
> > 
> > > Initial Comment:
> > > Mailman _must_ not touch MIME-parts which are nested
> > > more deeply in the mail. As tested with Mailman 2.1.2,
> > > header lines will be sometimes reformatted in
> > > message/rfc822 attachments which will break the OpenPGP
> > > signature
> > > (also conforming to the PGP/MIME standard) on that part.
> > 
> > > This is an email security affecting bug, because if people 
> > > start believing that a *BAD* signature does not mean much,
> > > because they get many broken by mailman, they will not
> > > react
> > > to a seriously manipulated email anymore!
> 
> 
> 
> -- 
> Professional Service for Free Software                 (intevation.net)  
> The FreeGIS Project                                       (freegis.org)
> Association for a Free Informational Infrastructure          (ffii.org)
> FSF Europe                                              (fsfeurope.org)



> _______________________________________________
> Gpa-dev mailing list
> Gpa-dev at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gpa-dev


-- 
Professional Service for Free Software                 (intevation.net)  
The FreeGIS Project                                       (freegis.org)
Association for a Free Informational Infrastructure          (ffii.org)
FSF Europe                                              (fsfeurope.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2145 bytes
Desc: not available
Url : /pipermail/attachments/20040413/a418203f/smime-0001.bin

More information about the Gpa-dev mailing list