Bug#1106867: bookworm-pu: kmail-account-wizard/22.12.3-1+deb12u1

Thorsten Alteholz Fri, 30 May 2025 11:40:34 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu

The attached debdiff for kmail-account-wizard fixes CVE-2024-50624 inBookworm. According to my tests everything works as intended.


This CVE has been marked as no-dsa by the security team.

  Thorsten

diff -Nru kmail-account-wizard-22.12.3/debian/changelog 
kmail-account-wizard-22.12.3/debian/changelog
--- kmail-account-wizard-22.12.3/debian/changelog       2023-03-01 
21:33:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/changelog       2025-05-27 
10:03:02.000000000 +0200
@@ -1,3 +1,16 @@
+kmail-account-wizard (4:22.12.3-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2024-50624
+    fix man-in-the-middle-attack when using autoconf for retrieving
+    configuration
+  * for configuration with autoconf.example.com, the config is fetched
+    via https and the former http as fallback.
+    for configuration via example.com/.well-known/autoconfig the
+    config is now fetched only with https
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Tue, 27 May 2025 10:03:02 +0200
+
 kmail-account-wizard (4:22.12.3-1) unstable; urgency=medium
 
   [ Patrick Franz ]
diff -Nru kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch 
kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch
--- kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch    
1970-01-01 01:00:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch    
2025-05-27 10:03:02.000000000 +0200
@@ -0,0 +1,68 @@
+commit 9784f5ab41c3aff435d4a88afb25585180a62ee4
+Author: Laurent Montel <mon...@kde.org>
+Date:   Mon Jun 3 13:42:29 2024 +0200
+
+    Fix bug 487882: plaintext HTTP request in kmail-account-wizard
+    
+    BUG: 487882
+    FIXED-IN: 6.2.0
+
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.cpp      2025-05-27 
11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp   2025-05-27 
12:57:09.463399061 +0200
+@@ -64,11 +64,14 @@
+     QUrl url;
+     const QString path = type + QStringLiteral("/config-v") + version + 
QStringLiteral(".xml");
+     switch (mServerType) {
++    case IspHttpsAutoConfig:
++        url = QUrl(QStringLiteral("https://autoconfig.";) + 
mAddr.domain.toLower() + QLatin1Char('/') + path);
++        break;
+     case IspAutoConfig:
+         url = QUrl(QStringLiteral("http://autoconfig.";) + 
mAddr.domain.toLower() + QLatin1Char('/') + path);
+         break;
+     case IspWellKnow:
+-        url = QUrl(QStringLiteral("http://";) + mAddr.domain.toLower() + 
QStringLiteral("/.well-known/autoconfig/") + path);
++        url = QUrl(QStringLiteral("https://";) + mAddr.domain.toLower() + 
QStringLiteral("/.well-known/autoconfig/") + path);
+         break;
+     case DataBase:
+         url = QUrl(QStringLiteral("https://autoconfig.thunderbird.net/v1.1/";) 
+ mAddr.domain.toLower());
+@@ -93,16 +96,9 @@
+         qCDebug(ACCOUNTWIZARD_LOG) << "Fetching failed" << job->errorString();
+         bool lookupFinished = false;
+ 
+-        switch (mServerType) {
+-        case IspAutoConfig:
+-            mServerType = IspWellKnow;
+-            break;
+-        case IspWellKnow:
+-            lookupFinished = true;
+-            break;
+-        case DataBase:
+-            mServerType = IspAutoConfig;
+-            break;
++        if (mServerType != Ispdb::searchServerType::Last) {
++            int index = static_cast<int>(mServerType);
++            mServerType= static_cast<Ispdb::searchServerType>(++index);
+         }
+ 
+         if (lookupFinished) {
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.h
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.h        2025-05-27 
11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.h     2025-05-27 
11:10:40.171001261 +0200
+@@ -95,9 +95,11 @@
+         @see lookupUrl to generate a url base on this type
+      */
+     enum searchServerType {
+-        IspAutoConfig = 0, /**< 
http://autoconfig.example.com/mail/config-v1.1.xml */
+-        IspWellKnow, /**< 
http://example.com/.well-known/autoconfig/mail/config-v1.1.xml */
+-        DataBase /**< https://autoconfig.thunderbird.net/v1.1/example.com */
++        DataBase = 0, ///< 
https://autoconfig.thunderbird.net/v1.1/example.com */
++        IspHttpsAutoConfig = 1, ///< 
https://autoconfig.example.com/mail/config-v1.1.xml
++        IspAutoConfig = 2, ///< 
http://autoconfig.example.com/mail/config-v1.1.xml
++        IspWellKnow = 3, ///< 
https://example.com/.well-known/autoconfig/mail/config-v1.1.xml
++        Last = IspWellKnow
+     };
+ 
+     /** let's request the autoconfig server */
diff -Nru kmail-account-wizard-22.12.3/debian/patches/series 
kmail-account-wizard-22.12.3/debian/patches/series
--- kmail-account-wizard-22.12.3/debian/patches/series  1970-01-01 
01:00:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/patches/series  2025-05-27 
10:03:02.000000000 +0200
@@ -0,0 +1 @@
+CVE-2024-50624.patch

Bug#1106867: bookworm-pu: kmail-account-wizard/22.12.3-1+deb12u1

Reply via email to