mailman-bug: Breaking signatures

Bernhard Reiter bernhard at intevation.de
Thu Jan 8 15:11:45 CET 2004


Is there nobody out there that could help to fix
this Mailman 2.1.x bug or raise awareness for this bug?

Gpa-dev also runs it and signatures will not be worth much,
if we don't consider mail transport systems that break them
a real security problem. People will learn that if a mail was
manipulated, the mailsystem will be the most likely cause.
So in practice a really manipulated email will go unnoticed
with a lot higher chance.

One idea for more awareness I had was to test that the bug is there 
on a Debian sid or woddy machine and file a security level bug 
in Debian. Can anybody help with this?

	Bernhard


On Wed, Oct 01, 2003 at 07:24:46PM +0200, Bernhard Reiter wrote:
> I've finally reproduced and reported that Mailman 2.1.x bug
> that causes some signatures to break.
> 
> (Somebody said Ingo already nailed that bug, but I could
> not find the Mailman bug report for it, so he might not have
> reported it.)
> 
> On Tue, Sep 30, 2003 at 10:46:57AM -0700, SourceForge.net wrote:
> > Bugs item #815297, was opened at 2003-09-30 19:42
> > Message generated for change (Comment added) made by ber
> > You can respond by visiting: 
> > https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_id=103
> > 
> 
> > Initial Comment:
> > Mailman _must_ not touch MIME-parts which are nested
> > more deeply in the mail. As tested with Mailman 2.1.2,
> > header lines will be sometimes reformatted in
> > message/rfc822 attachments which will break the OpenPGP
> > signature
> > (also conforming to the PGP/MIME standard) on that part.
> 
> > This is an email security affecting bug, because if people 
> > start believing that a *BAD* signature does not mean much,
> > because they get many broken by mailman, they will not
> > react
> > to a seriously manipulated email anymore!



-- 
Professional Service for Free Software                 (intevation.net)  
The FreeGIS Project                                       (freegis.org)
Association for a Free Informational Infrastructure          (ffii.org)
FSF Europe                                              (fsfeurope.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2145 bytes
Desc: not available
Url : /pipermail/attachments/20040108/f085b477/smime-0001.bin


More information about the Gpa-dev mailing list