Closed Bug 1671735 (RNP-01-audit) Opened 1 year ago Closed 8 months ago

Audit-Report RNP & Thunderbird Integration 08.2020 (tracking)

Categories

(MailNews Core :: Security: OpenPGP, defect)

defect
Not set
critical

Tracking

(thunderbird_esr78 unaffected)

RESOLVED FIXED
91 Branch
Tracking Status
thunderbird_esr78 --- unaffected

People

(Reporter: wsmwk, Unassigned)

References

Details

(Keywords: meta, sec-other)

Attachments

(1 file)

Identified Vulnerabilities:

  • RNP-01-001 WP1 RNP: Integer overflow due to expiration time of PGP v3 keys (Low) - bug 1671737
  • RNP-01-004 WP1 RNP: Potential Integer underflow in partial_dst_write() (Low) - bug 1671738
  • RNP-01-005 WP1 RNP: Literal packet parsing allows for Integer underflow (Low) - bug 1671758
  • RNP-01-006 WP2 Thunderbird: Evaluation of password strength insufficient (Low) - bug 1671759
  • RNP-01-007 WP1 RNP: encrypt_secret_key() does not wipe keybuf from memory (Low) - bug 1673236
  • RNP-01-012 WP1 Thunderbird: Logic issue potentially leaves key material unlocked (Medium) - bug 1673239
  • RNP-01-014 WP1 Thunderbird: Key manipulation via uncertified Auto-Import (Medium) - bug 1673240

Miscellaneous Issues:

  • RNP-01-002 WP3 Thunderbird: Automatic handling of autocrypt-gossip header (Info)
  • RNP-01-003 WP3 Thunderbird: Possible race condition when reading from disk (Info)
  • RNP-01-008 WP3 Thunderbird: Partially unencrypted email insufficiently detected (Low) - bug 1673241
  • RNP-01-009 WP1 RNP: mem_dest_own_memory() callers do not check for NULL (Info)
  • RNP-01-010 WP1 Thunderbird: Outdated and vulnerable Botan library version (Info)
  • RNP-01-011 WP1 RNP: Potential overflow in librepgp due to invalid size check (Low) - bug 1673242
  • RNP-01-013 WP2 Thunderbird: Forbidden cipher-suites/algorithms recommendations (Info)
Depends on: 1671737
Depends on: 1671738
Depends on: 1671758
Depends on: 1671759
Depends on: 1673236
Depends on: CVE-2021-29950
Depends on: CVE-2021-23991
Depends on: CVE-2021-29957
Depends on: 1673242

I believe all non-Info findings in Attachment 9182160 [details] now have bug reports, can be prioritized, and given sec-xxxx ratings. "Thunderbird:" and "RNP:" in bug summary indicates responsibility of the respective organizations.

Bugs will also be created for Info findings unless someone decides otherwise.

All items are considered confidential until the report is publicly released, or as individual items are made public.

Flags: needinfo?(tom)
Flags: needinfo?(kaie)

AFAIK, assigning security ratings for Thunderbird is Kaie's decision. But feel free to ping if you want help/input!

Flags: needinfo?(tom)
Flags: needinfo?(kaie)

Kaie, these cover your comments from August 24, 2020 email ...

(In reply to Wayne Mery (:wsmwk) from comment #0)

Created attachment 9182160 [details]
cure53 RNP-01-report.pdf

Identified Vulnerabilities:

  • RNP-01-001 WP1 RNP: Integer overflow due to expiration time of PGP v3 keys (Low) - bug 1671737
  • RNP-01-004 WP1 RNP: Potential Integer underflow in partial_dst_write() (Low) - bug 1671738
  • RNP-01-005 WP1 RNP: Literal packet parsing allows for Integer underflow (Low) - bug 1671758
  • RNP-01-006 WP2 Thunderbird: Evaluation of password strength insufficient (Low) - bug 1671759
  • RNP-01-007 WP1 RNP: encrypt_secret_key() does not wipe keybuf from memory (Low) - bug 1673236
  • RNP-01-012 WP1 Thunderbird: Logic issue potentially leaves key material unlocked (Medium) - bug 1673239
  • RNP-01-014 WP1 Thunderbird: Key manipulation via uncertified Auto-Import (Medium) - bug 1673240

Miscellaneous Issues:

  • RNP-01-002 WP3 Thunderbird: Automatic handling of autocrypt-gossip header (Info)

Kaie's comment "immediate response already done by disabling by bug 1659504 TODO: code reminder/comment for future work on this feature"

  • RNP-01-003 WP3 Thunderbird: Possible race condition when reading from disk (Info)

Kaie, you'll need a bug for "should change code to use in memory buffer, not temporary file"

  • RNP-01-008 WP3 Thunderbird: Partially unencrypted email insufficiently detected (Low) - bug 1673241
  • RNP-01-009 WP1 RNP: mem_dest_own_memory() callers do not check for NULL (Info)

"not used by TB"

  • RNP-01-010 WP1 Thunderbird: Outdated and vulnerable Botan library version (Info)

"update underlying Botan library. need plan/procedure to ensure we update Botan when appropriate"

  • RNP-01-011 WP1 RNP: Potential overflow in librepgp due to invalid size check (Low) - bug 1673242
  • RNP-01-013 WP2 Thunderbird: Forbidden cipher-suites/algorithms recommendations (Info)

Your email indicates this is fixed by fixed by Bug 1641720 - Need an OpenPGP crypto policy, only show security indicators for mechanisms that are on the allowlist

I believe this update covers all the "info" findings. If correct, then just one new bug needs to be created.

Depends on: 1659504
Flags: needinfo?(kaie)
Depends on: CVE-2021-29948

(In reply to Wayne Mery (:wsmwk) from comment #3)

  • RNP-01-003 WP3 Thunderbird: Possible race condition when reading from disk (Info)
    Kaie, you'll need a bug for "should change code to use in memory buffer, not temporary file"

yes, filed as bug 1692899

  • RNP-01-013 WP2 Thunderbird: Forbidden cipher-suites/algorithms recommendations (Info)
    Your email indicates this is fixed by fixed by Bug 1641720 - Need an OpenPGP crypto policy, only show security indicators for mechanisms that are on the allowlist

No. That bug was used to only apply a bandaid for the most problematic detail, and the one that was easiest to fix.

The underlying issue is much more complex, and is now tracked in bug 1662581
and https://github.com/rnpgp/rnp/issues/1281

However, I wouldn't track that bug as a dependency of the audit. The audit didn't uncover it as an issue. It was already known as a TODO.

Flags: needinfo?(kaie)

Are we ready to publish the cure53 audit and open up all the bugs?

We have addressed all the reported issues, and have uplifted all of them to the stable 78.x release branch.
Marking fixed.

Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Group: core-security-release
Target Milestone: --- → 91 Branch
You need to log in before you can comment on or make changes to this bug.