Project

General

Profile

Bug #8999

Claws Mail leaks cleartext of encrypted email to the IMAP server

Added by intrigeri over 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
03/03/2015
Due date:
% Done:

100%

QA Check:
Feature Branch:
Type of work:
Research
Blueprint:
Easy:
No
Affected tool:
Email Client

Description

With the default configuration, it leaks at least to the Drafts (according to #8986) and Queue IMAP folders (see "PGP MIME is insecure (for me)" thread on -dev@ https://mailman.boum.org/pipermail/tails-dev/2015-February/008275.html).

Setting Elevated priority: even if we plan to replace it with Icedove, we still ship Claws Mail and those issues seem serious to me. Worst case, it can be addressed by documentation, and issueing a security advisory pointing to that doc. Existing users of Claws Mail with persistence will need to be explained how to fix their settings anyway.

Upstream ticket: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2965


Subtasks

Bug #8986: Claws Mail leaks cleartext of encrypted email to the Drafts IMAP folderResolved

Feature #9302: Consider shipping claws-mail 3.10.1-2~bpo70+1Rejected

Bug #9000: Claws Mail leaks cleartext of encrypted email to the Queue IMAP folderRejected

Bug #9161: Write a security advisory about Claws leaking cleartext to IMAP serverResolvedsajolida


Related issues

Related to Tails - Feature #5316: Improve OpenPGP documentation Confirmed 01/05/2014

History

#1 Updated by sajolida over 2 years ago

#2 Updated by BitingBird over 2 years ago

not fixed -> postponing

#3 Updated by BitingBird over 2 years ago

  • Target version changed from Tails_1.3.2 to Tails_1.4

#4 Updated by sajolida over 2 years ago

I could write a security advisory but first I'd like to be sure whether the problem can or cannot be adressed by technical means in our next version. As the resulting advisory will be much different. So make sure to ping me where this has been investigated enough.

#5 Updated by intrigeri over 2 years ago

I could write a security advisory

Excellent!

but first I'd like to be sure whether the problem can or cannot be adressed by technical means in our next version.

Fully agreed.

So make sure to ping me where this has been investigated enough.

I'm not aware of anyone being investigating this topic, so I'm afraid you might wait for a while :(
So perhaps we should set a timeout (e.g. 1-2 weeks before the freeze for 1.4).

#6 Updated by sajolida over 2 years ago

anonym did something in https://mailman.boum.org/pipermail/tails-dev/2015-March/008504.html

I'm fine with the timeout. We could use the date of the freeze as deadline because if it's not fixed by then, it won't be fixed in time.

That's now #9161.

#7 Updated by intrigeri over 2 years ago

anonym did something in https://mailman.boum.org/pipermail/tails-dev/2015-March/008504.html

Trying to beat me at arguing endlessly and having the last word, are you? Then good luck with it, I still have a little bit more experience at it ;)

Joke aside, in case you're somewhat counting on anonym, here's some additional info: he made it clear since that he isn't taking responsibility for fixing that bug during the 1.4 dev cycle. That's what I meant with "I'm not aware of anyone being investigating this topic".

That's now #9161.

\o/

#8 Updated by bertagaz over 2 years ago

  • Easy set to No

Had a quick look, and it seems to be a known bug referenced or mentioned here and there:

One workaround I've found is to create a local mail folder in claws mail, and then configure the IMAP account to use this local drafts/ and queue/ folder in the advanced section of its configuration.

The draft or deferred emails are then stored in this folders. That's half satisfying, because the emails are not stored on the IMAP server, but they still are unencrypted.

I'm not sure how this can be used in our shipped default configuration bits, but it should be doable. That's probably the next step to test if we think it's still relevant to use this workaround.

At least that might be something worth mentioning if we stick on writing a security advisory in the 1.4 release.

#9 Updated by intrigeri over 2 years ago

I'm not sure how this can be used in our shipped default configuration bits, but it should be doable. That's probably the next step to test if we think it's still relevant to use this workaround.

Agreed, best would be to make this the default configuration for new accounts. Migrating existing accounts is probably harder, and anyway it's less important since it can be covered by documentation + a security advisory.

At least that might be something worth mentioning if we stick on writing a security advisory [...]

Agreed, IMO that's precisely what we should document + point to in the security advisory, if we can't automate it.

#10 Updated by bertagaz over 2 years ago

In the end it seems not possible to use the accountrc.tmpl file to seed the user configuration with one that would workaround this issue.

We can't use the set_queue_folder=, queue_folder=, set_draft_folder= and draft_folder= in there according to the claws-mail manual (and tests).

So we're probably stuck with using a wrapper that would:
  • add a mh to the folderlist.xml file once it exists and is configured to use IMAP
  • configure the settings above to use this as the default Queue and Drafts folders.

Doesn't sound that easy.

Maybe the claws mail python plugin can help here, but I'm not sure it gives access to this settings.

#11 Updated by intrigeri over 2 years ago

So we're probably stuck with using a wrapper that would:
  • add a mh to the folderlist.xml file once it exists and is configured to use IMAP
  • configure the settings above to use this as the default Queue and Drafts folders.

Doesn't sound that easy.

Indeed :( IMO it's not worth it and likely to be fragile, so we should go the documentation + security advisory way, given we're going to switch to Icedove soonish. However, perhaps we should have a wrapper around Claws Mail that warns users about it and points to the corresponding documentation. Perhaps that wrapper can create a file the first time it's run, and then not display the warning if that file exists.

#12 Updated by sajolida over 2 years ago

  • Assignee set to sajolida

Now assigning this to myself to prepare documentation and a security warning.

If I understand correctly, I should build upon the workaround described in note-#8 and http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2661#c17.

And also, regarding the debugging process behind that bug shall we contact the Claws Mail people about the fact that this bug affects Tails and that we are considering issuing a security advisory regarding that issue? Because this will bring them (and us) quite a bit of bad advertising and maybe they prefer to fix it promptly instead :) Could this go into a Debian security update?

#13 Updated by intrigeri over 2 years ago

And also, regarding the debugging process behind that bug shall we contact the Claws
Mail people about the fact that this bug affects Tails and that we are considering
issuing a security advisory regarding that issue? Because this will bring them (and
us) quite a bit of bad advertising and maybe they prefer to fix it promptly
instead :)

Good idea.

Could this go into a Debian security update?

I'm not sure what's "this", given we actually have no fix but merely doc workarounds.

#14 Updated by bertagaz over 2 years ago

Here's a quick sum up of the workaround to this bug, to help in writing the documentation:

After having configured an IMAP account in Claws-mail, one must got to File -> Add mailbox -> MH...
Then choose a path where to store the new mailbox, somewhere under $HOME/.claws-mail to take advantages of the persistence.

Once done, go to the Configuration menu, choose Preference for current account..., then in the Advanced menu, in the Folder section check Put queued messages in and browse to choose the newly created MH queue folder (and not the IMAP one). Repeat for the Put draft messages in. Then you're done.

Hope this helps.

#15 Updated by sajolida over 2 years ago

I'm not sure what's "this", given we actually have no fix but merely doc workarounds.

I have the impression that Claws upstream didn't really get the impact
of this bug and didn't take it as seriously as it should.

So, if Tails points out to them that it really is important and that we
are about to issue a security advisory about it, then Claws might
release a fix. If this happens, could their fix go into a Debian
security update, and then we wouldn't have to issue that security
advisory if done quickly?

#16 Updated by intrigeri over 2 years ago

So, if Tails points out to them that it really is important and that we are about to issue a security advisory about it, then Claws might release a fix.

I think it's worth trying.

If this happens, could their fix go into a Debian security update, and then we wouldn't have to issue that security advisory if done quickly?

Yes, perhaps.

So, what fix do we want to suggest them? I guess that creating local folders and using them for saving drafts etc. is too involved for a backportable security patch (and not so good UX wise). How do other MUAs do (in particular Icedove + Enigmail)?

#17 Updated by BitingBird over 2 years ago

If you have enigmail, icedove asks before saving a draft if you want to encrypt it, and if yes with what key. It does this elso if your draft folder is local.

#18 Updated by sajolida over 2 years ago

  • Description updated (diff)

#20 Updated by BitingBird over 2 years ago

#21 Updated by BitingBird over 2 years ago

  • Description updated (diff)

#22 Updated by sajolida over 2 years ago

Yeah, and have the same workaround as bertagaz found.

#23 Updated by sajolida over 2 years ago

  • Assignee deleted (sajolida)
  • Target version deleted (Tails_1.4)

We did all we could do on this issue and will release an advisory before 1.4. There's not much else we can do for the time being, so I'm removing this from 1.4 as it won't be solved by then. Deassigning it from me either.

#24 Updated by paul about 2 years ago

Why was this issue not fixed in Tails 1.4.1? The fix was available from Claws Mail GIT for a week before the date of Tails 1.4.1 release.

#25 Updated by bertagaz about 2 years ago

paul wrote:

Why was this issue not fixed in Tails 1.4.1? The fix was available from Claws Mail GIT for a week before the date of Tails 1.4.1 release.

Yeah sure, so we should have build a new Debian package that we'd either upload into Debian (which is the path we prefer as discussed on the tails-dev list) or in our own APT repo, tested this patch (because it's not so obvious it actually fixes the bugs we raised), all that in a week, after we freezed the 1.4.1 release?

Sorry, but that's not possible, we won't put the effort to integrate such a patch in such a short time without proper testing. Needless to say that we are already all quite busy with Tails.

#26 Updated by intrigeri about 2 years ago

Also, note that if a CVE had been requested by Claws Mail upstream, this problem would have popped up on Debian security team's radar.

#27 Updated by paul about 2 years ago

@bertagaz: well, you have barely more than a handful of security issues listed, so breaking the freeze seems reasonable to me, although I don't know what you polcies are. I think if you had tested the patch you would find it quite obvious that it fixes the bug.

@intrigeri: a CVE would have been inappropriate for this, for reasons cited elsewhere.

#28 Updated by BitingBird about 2 years ago

No new version in Debian, and I don't see a bug report about this... should it be filed ?

#29 Updated by intrigeri about 2 years ago

No new version in Debian, and I don't see a bug report about this... should it be filed ?

Yes, it would be great.

#30 Updated by paul about 2 years ago

BitingBird wrote:

No new version in Debian, and I don't see a bug report about this... should it be filed ?

No need for that, version 3.12.0 is already on its way to being in debian.

#31 Updated by Kurtis about 2 years ago

Just for references purposes, here's the link to the bug fix on the Claws-Mail site. http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2965

Will claws-mail be updated upstream in Debian to include this bug fix and then brought into Tails? If not, how will this get fixed?

#32 Updated by intrigeri about 2 years ago

Will claws-mail be updated upstream in Debian to include this bug fix and then brought into Tails?

Once the fix is in Debian unstable, someone might want to talk to the Debian security team about it.
No idea if the upstream patches apply on Debian oldstable (Wheezy) and/or stable (Jessie) version of Claws Mail, though.

If not, how will this get fixed?

By switching to Icedove.

#33 Updated by baitisj about 2 years ago

I opened a more narrowly defined issue:

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3508

I think this covers the other half of the concern voiced previously that was marked as "resolved"

#34 Updated by u over 1 year ago

  • Status changed from Confirmed to Resolved

Closing as we will soon drop Claws completely and have already advised users to use Icedove instead.

Also available in: Atom PDF