[ mailman-Bugs-815297 ] Breaking signatures in message/rfc822 attachement!

SourceForge.net noreply at sourceforge.net
Fri Oct 3 11:54:22 EDT 2003 

Bugs item #815297, was opened at 2003-09-30 17:42
Message generated for change (Comment added) made by mmutz
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_id=103

Category: security/privacy
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Bernhard Reiter (ber)
Assigned to: Nobody/Anonymous (nobody)
Summary: Breaking signatures in message/rfc822 attachement!

Initial Comment:
Mailman _must_ not touch MIME-parts which are nested

more deeply in the mail. As tested with Mailman 2.1.2,

header lines will be sometimes reformatted in

message/rfc822 attachments which will break the OpenPGP

signature

(also conforming to the PGP/MIME standard) on that part.



I'm attaching a simple email with on long header.

Forward this as MIME part and sign it sending it

through Mailman,

the signature will be broken.



This is an email security affecting bug, because if people 

start believing that a *BAD* signature does not mean much,

because they get many broken by mailman, they will not

react

to a seriously manipulated email anymore!



----------------------------------------------------------------------

Comment By: Marc Mutz (mmutz)
Date: 2003-10-03 15:54

Message:
Logged In: YES 
user_id=82377

This is not limited to message/rfc822 at all: 

 

As a specific example, create a message with an attachment 

and add the header 

Content-Disposition: attachment; filename="more-than-70-chars.

txt" 

(all in a single line), then send it through a mailman-managed ml. 

Result: mailman "fixes" the message to look like 

Content-Disposition: attachment; 

\tfilename="more-than-70-chars.txt" 

 

It even does that inside a multipart/signed part, and this is 

where it breaks the signature verification. 

----------------------------------------------------------------------

Comment By: Bernhard Reiter (ber)
Date: 2003-09-30 17:46

Message:
Logged In: YES 
user_id=113859

Here is the email signed by myself and broken 

after delivery through mailman. Check the "To:" header line.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_id=103

More information about the Mailman-coders mailing list