Bug 791275 – Partially possible to display faked/spoiled email sender addresses

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 791275 - Partially possible to display faked/spoiled email sender addresses


Summary:	Partially possible to display faked/spoiled email sender addresses


Status:	RESOLVED FIXED

Product:	geary
Classification:	Other
Component:	engine
Version:	unspecified
Hardware:	Other Linux

Importance:	High major
Target Milestone:	0.13.0
Assigned To:	Geary Maintainers
QA Contact:	Geary Maintainers

URL:
Whiteboard:	security

Depends on:
Blocks:	788073

Reported:	2017-12-05 16:56 UTC by 1d28ed33
Modified:	2018-02-05 11:42 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Image 1/Variation #2 (34.80 KB, image/png) 2017-12-05 16:57 UTC, 1d28ed33	Details

Description 1d28ed33 2017-12-05 16:56:32 UTC

You seem to be affected to https://www.mailsploit.com at least to some degree.

I could get a potus@whitehouse.gov" <potus@whitehouse.gov>? as an example. This looks a bit destroyed but users may still recognize it as a valid mail.
Image 1/Variation #2

And with variation #5 I can see potus@whitehouse.gov in the overview, at least. See image 2.

Comment 1 1d28ed33 2017-12-05 16:57:09 UTC

Created attachment 365043 [details]
Image 1/Variation #2

Comment 2 1d28ed33 2017-12-05 17:07:12 UTC

By finder of the vuln:
> Variation #5 is simply the email as the sender name. But, indeed, disturbing, should had been caught by the spam filter.

https://twitter.com/pwnsdx/status/938092077484838912

Comment 3 Michael Gratton 2017-12-07 13:15:34 UTC

Hey, thanks for reporting this. I'll look into a fix ASAP.

Comment 4 Federico Bruni 2017-12-20 17:33:21 UTC

But the real sender @mailsploit.com is always visible. Well, it's grey, while From is black bold..

Comment 5 1d28ed33 2017-12-20 21:15:54 UTC

Sure, but in the overview that's not really visible: https://pbs.twimg.com/media/DQTEDlVX0AE5fh4.jpg:large

Comment 6 Michael Gratton 2018-01-31 06:15:42 UTC

This has been fixed on master by commit b7eea857.

I can't really port the full fix to geary-0.12 since it's pretty invasive and would require a string change, but after some testing I'll at least cherry pick commit 71e0e683 since that's the most important part of it.

Comment 7 Michael Gratton 2018-02-05 11:42:20 UTC

This needed a bit more work than just the original patch set, so I'm not going to get this into 0.12, rather it will need to wait for 0.13.