mailman-bug: Breaking signatures
Bernhard Reiter
bernhard at intevation.de
Thu Jan 8 15:11:45 CET 2004
Is there nobody out there that could help to fix
this Mailman 2.1.x bug or raise awareness for this bug?
Gpa-dev also runs it and signatures will not be worth much,
if we don't consider mail transport systems that break them
a real security problem. People will learn that if a mail was
manipulated, the mailsystem will be the most likely cause.
So in practice a really manipulated email will go unnoticed
with a lot higher chance.
One idea for more awareness I had was to test that the bug is there
on a Debian sid or woddy machine and file a security level bug
in Debian. Can anybody help with this?
Bernhard
On Wed, Oct 01, 2003 at 07:24:46PM +0200, Bernhard Reiter wrote:
> I've finally reproduced and reported that Mailman 2.1.x bug
> that causes some signatures to break.
>
> (Somebody said Ingo already nailed that bug, but I could
> not find the Mailman bug report for it, so he might not have
> reported it.)
>
> On Tue, Sep 30, 2003 at 10:46:57AM -0700, SourceForge.net wrote:
> > Bugs item #815297, was opened at 2003-09-30 19:42
> > Message generated for change (Comment added) made by ber
> > You can respond by visiting:
> > https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_id=103
> >
>
> > Initial Comment:
> > Mailman _must_ not touch MIME-parts which are nested
> > more deeply in the mail. As tested with Mailman 2.1.2,
> > header lines will be sometimes reformatted in
> > message/rfc822 attachments which will break the OpenPGP
> > signature
> > (also conforming to the PGP/MIME standard) on that part.
>
> > This is an email security affecting bug, because if people
> > start believing that a *BAD* signature does not mean much,
> > because they get many broken by mailman, they will not
> > react
> > to a seriously manipulated email anymore!
--
Professional Service for Free Software (intevation.net)
The FreeGIS Project (freegis.org)
Association for a Free Informational Infrastructure (ffii.org)
FSF Europe (fsfeurope.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2145 bytes
Desc: not available
Url : /pipermail/attachments/20040108/f085b477/smime-0001.bin
More information about the Gpa-dev
mailing list