Mailing List Archive

Is there nobody out there that could help to fix
this Mailman 2.1.x bug or raise awareness for this bug?

Gpa-dev also runs it and signatures will not be worth much,
if we don't consider mail transport systems that break them
a real security problem. People will learn that if a mail was
manipulated, the mailsystem will be the most likely cause.
So in practice a really manipulated email will go unnoticed
with a lot higher chance.

One idea for more awareness I had was to test that the bug is there
on a Debian sid or woddy machine and file a security level bug
in Debian. Can anybody help with this?

Bernhard


On Wed, Oct 01, 2003 at 07:24:46PM +0200, Bernhard Reiter wrote:
> I've finally reproduced and reported that Mailman 2.1.x bug
> that causes some signatures to break.
>
> (Somebody said Ingo already nailed that bug, but I could
> not find the Mailman bug report for it, so he might not have
> reported it.)
>
> On Tue, Sep 30, 2003 at 10:46:57AM -0700, SourceForge.net wrote:
> > Bugs item #815297, was opened at 2003-09-30 19:42
> > Message generated for change (Comment added) made by ber
> > You can respond by visiting:
> > https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_id=103
> >
>
> > Initial Comment:
> > Mailman _must_ not touch MIME-parts which are nested
> > more deeply in the mail. As tested with Mailman 2.1.2,
> > header lines will be sometimes reformatted in
> > message/rfc822 attachments which will break the OpenPGP
> > signature
> > (also conforming to the PGP/MIME standard) on that part.
>
> > This is an email security affecting bug, because if people
> > start believing that a *BAD* signature does not mean much,
> > because they get many broken by mailman, they will not
> > react
> > to a seriously manipulated email anymore!



--
Professional Service for Free Software (intevation.net)
The FreeGIS Project (freegis.org)
Association for a Free Informational Infrastructure (ffii.org)
FSF Europe (fsfeurope.org)

On Thu, Jan 08, 2004 at 03:11:45PM +0100, Bernhard Reiter wrote:
> Is there nobody out there that could help to fix
> this Mailman 2.1.x bug or raise awareness for this bug?

I have created a patch, also to be found at:
ftp.intevation.de/users/bernhard/mailman

Mailman might still break signatures if text/html parts are filtered out.
At least this is what I expect, but did not test.

> Gpa-dev also runs it and signatures will not be worth much,
> if we don't consider mail transport systems that break them
> a real security problem. People will learn that if a mail was
> manipulated, the mailsystem will be the most likely cause.
> So in practice a really manipulated email will go unnoticed
> with a lot higher chance.

> On Wed, Oct 01, 2003 at 07:24:46PM +0200, Bernhard Reiter wrote:
> > I've finally reproduced and reported that Mailman 2.1.x bug
> > that causes some signatures to break.
> >
> > (Somebody said Ingo already nailed that bug, but I could
> > not find the Mailman bug report for it, so he might not have
> > reported it.)
> >
> > On Tue, Sep 30, 2003 at 10:46:57AM -0700, SourceForge.net wrote:
> > > Bugs item #815297, was opened at 2003-09-30 19:42
> > > Message generated for change (Comment added) made by ber
> > > You can respond by visiting:
> > > https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_id=103
> > >
> >
> > > Initial Comment:
> > > Mailman _must_ not touch MIME-parts which are nested
> > > more deeply in the mail. As tested with Mailman 2.1.2,
> > > header lines will be sometimes reformatted in
> > > message/rfc822 attachments which will break the OpenPGP
> > > signature
> > > (also conforming to the PGP/MIME standard) on that part.
> >
> > > This is an email security affecting bug, because if people
> > > start believing that a *BAD* signature does not mean much,
> > > because they get many broken by mailman, they will not
> > > react
> > > to a seriously manipulated email anymore!
>
>
>
> --
> Professional Service for Free Software (intevation.net)
> The FreeGIS Project (freegis.org)
> Association for a Free Informational Infrastructure (ffii.org)
> FSF Europe (fsfeurope.org)



> _______________________________________________
> Gpa-dev mailing list
> Gpa-dev@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gpa-dev


--
Professional Service for Free Software (intevation.net)
The FreeGIS Project (freegis.org)
Association for a Free Informational Infrastructure (ffii.org)
FSF Europe (fsfeurope.org)