Hey, I have now have a fixed version for stretch and sid (see debdiff). Because Debian is currently in the release process, I'm not sure, how to upload/handle the fix for stretch.
Best Regards, sandro -- On Donnerstag, 15. Juni 2017 07:40:10 CEST Salvatore Bonaccorso wrote: > Source: kf5-messagelib > Version: 4:16.04.3-2 > Severity: important > Tags: patch upstream security > Control: clone -1 -2 > Control: reassign -2 kdepim 4:4.14.1-1 > > Hi, > > the following vulnerability was published for kf5-messagelib (and > kmail). > > CVE-2017-9604[0]: > | KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in > | KDE Applications before 17.04.2, do not ensure that a plugin's > | sign/encrypt action occurs during use of the Send Later feature, which > | allows remote attackers to obtain sensitive information by sniffing the > | network. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-9604 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9604 > [1] https://www.kde.org/info/security/advisory-20170615-1.txt > > Looking at the patchset I see it would apply as well to > kdepim/4:4.14.1-1 to some extend. I though have some difficulties to > correctly classify not knowing this Send Later feature. Can you please > double check the above. > > Regards, > Salvatore
diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog
--- kf5-messagelib-16.04.3/debian/changelog 2016-08-02 14:07:27.000000000 +0200
+++ kf5-messagelib-16.04.3/debian/changelog 2017-06-17 09:08:12.000000000 +0200
@@ -1,3 +1,13 @@
+kf5-messagelib (4:16.04.3-3) unstable; urgency=high
+
+ * Team upload.
+
+ [ Sandro Knauß ]
+ * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803)
+ - Added upstream patch fix-CVE-2017-9604.patch
+
+ -- Sandro Knauß <he...@debian.org> Sat, 17 Jun 2017 09:08:12 +0200
+
kf5-messagelib (4:16.04.3-2) unstable; urgency=high
[ Automatic packaging ]
diff -Nru kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch
--- kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch 1970-01-01 01:00:00.000000000 +0100
+++ kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch 2017-06-17 08:35:48.000000000 +0200
@@ -0,0 +1,26 @@
+From c54706e990bbd6498e7b1597ec7900bc809e8197 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Fri, 2 Jun 2017 13:56:41 +0200
+Subject: Make sure to sign/encrypt message when we send later
+
+(cherry picked from commit 4048f5e46d0a7d62d93d74fd2861dd70fb2ad660)
+---
+ messagecomposer/src/composer/composerviewbase.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp
+index d44b8b2..672ea1e 100644
+--- a/messagecomposer/src/composer/composerviewbase.cpp
++++ b/messagecomposer/src/composer/composerviewbase.cpp
+@@ -468,7 +468,7 @@ void MessageComposer::ComposerViewBase::slotEmailAddressResolved(KJob *job)
+ // if so, we create a composer per format
+ // if we aren't signing or encrypting, this just returns a single empty message
+ bool wasCanceled = false;
+- if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone) {
++ if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone && !mSendLaterInfo) {
+ MessageComposer::Composer *composer = new MessageComposer::Composer;
+ composer->setNoCrypto(true);
+ m_composers.append(composer);
+--
+cgit v0.11.2
+
diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series
--- kf5-messagelib-16.04.3/debian/patches/series 2016-08-02 14:07:27.000000000 +0200
+++ kf5-messagelib-16.04.3/debian/patches/series 2017-06-17 09:02:09.000000000 +0200
@@ -1,2 +1,3 @@
upstream_add_copying_files.patch
make-it-impossible-to-override-css-settings-from-a-h.patch
+fix-CVE-2017-9604.patch
signature.asc
Description: This is a digitally signed message part.
