| Name | CVE-2018-12019 |
| Description | The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| enigmail (PTS) | jessie, jessie (lts) | 2:1.9.9-1~deb8u1 | vulnerable |
| buster | 2:2.2.4-0.2~deb10u1 | fixed | |
| buster (security), buster (lts) | 2:2.1.3+ds1-4~deb10u2 | fixed | |
| bullseye | 2:2.2.4-0.3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| enigmail | source | wheezy | (unfixed) | end-of-life | ||
| enigmail | source | jessie | (unfixed) | end-of-life | ||
| enigmail | source | (unstable) | 2:2.0.7-1 |
[jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
https://www.openwall.com/lists/oss-security/2018/06/13/10
https://neopg.io/blog/enigmail-signature-spoof/