Bug#864804: CVE-2017-9604: Send Later with Delay bypasses OpenPGP

Sandro Knauß Sat, 17 Jun 2017 04:04:10 -0700

 Hey,
 
I have now have a fixed version for stretch and sid (see debdiff). Because 
Debian is currently in the release process, I'm not sure, how to
upload/handle  the fix for stretch.
 
Best Regards,
 
sandro

diff -Nru kdepim-16.04.3/debian/changelog kdepim-16.04.3/debian/changelog
--- kdepim-16.04.3/debian/changelog	2016-11-23 14:38:49.000000000 +0100
+++ kdepim-16.04.3/debian/changelog	2017-06-17 12:12:03.000000000 +0200
@@ -1,3 +1,13 @@
+kdepim (4:16.04.3-4) unstable; urgency=high
+
+  * Team upload.
+
+  [ Sandro Knauß ]
+  * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864804)
+    - Added upstream patch fix-CVE-2017-9604.patch
+
+ -- Sandro Knauß <he...@debian.org>  Sat, 17 Jun 2017 12:12:03 +0200
+
 kdepim (4:16.04.3-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru kdepim-16.04.3/debian/patches/fix-CVE-2017-9604.patch kdepim-16.04.3/debian/patches/fix-CVE-2017-9604.patch
--- kdepim-16.04.3/debian/patches/fix-CVE-2017-9604.patch	1970-01-01 01:00:00.000000000 +0100
+++ kdepim-16.04.3/debian/patches/fix-CVE-2017-9604.patch	2017-06-17 11:29:50.000000000 +0200
@@ -0,0 +1,62 @@
+From 78c5552be2f00a4ac25bd77ca39386522fca70a8 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Fri, 2 Jun 2017 13:59:02 +0200
+Subject: Make sure that we use plugin when we use sendlater feature
+
+---
+ kmail/editor/kmcomposerwin.cpp | 9 +++++----
+ kmail/editor/kmcomposerwin.h   | 3 ++-
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kmail/editor/kmcomposerwin.cpp
++++ b/kmail/editor/kmcomposerwin.cpp
+@@ -2376,7 +2376,7 @@ void KMComposerWin::printComposeResult(K
+ }
+ 
+ void KMComposerWin::doSend(MessageComposer::MessageSender::SendMethod method,
+-                           MessageComposer::MessageSender::SaveIn saveIn)
++                           MessageComposer::MessageSender::SaveIn saveIn, bool willSendItWithoutReediting)
+ {
+     if (mStorageService->numProgressUpdateFile() > 0) {
+         KMessageBox::sorry(this, i18np("There is %1 file upload in progress.",
+@@ -2391,7 +2391,7 @@ void KMComposerWin::doSend(MessageCompos
+         }
+     }
+ 
+-    if (saveIn == MessageComposer::MessageSender::SaveInNone) {   // don't save as draft or template, send immediately
++    if (saveIn == MessageComposer::MessageSender::SaveInNone || willSendItWithoutReediting) {   // don't save as draft or template, send immediately
+         if (KEmailAddress::firstEmailAddress(from()).isEmpty()) {
+             if (!(mShowHeaders & HDR_FROM)) {
+                 mShowHeaders |= HDR_FROM;
+@@ -2558,6 +2558,7 @@ void KMComposerWin::slotSendLater()
+     if (!checkRecipientNumber()) {
+         return;
+     }
++    mComposerBase->setSendLaterInfo(nullptr);
+     if (mComposerBase->editor()->checkExternalEditorFinished()) {
+         const bool wasRegistered = (SendLater::SendLaterUtil::sentLaterAgentWasRegistered() && SendLater::SendLaterUtil::sentLaterAgentEnabled());
+         if (wasRegistered) {
+@@ -2580,9 +2581,9 @@ void KMComposerWin::slotSendLater()
+                 case SendLater::SendLaterDialog::SendDeliveryAtTime: {
+                     mComposerBase->setSendLaterInfo(info);
+                     if (info->isRecurrence()) {
+-                        doSend(MessageComposer::MessageSender::SendLater, MessageComposer::MessageSender::SaveInTemplates);
++                        doSend(MessageComposer::MessageSender::SendLater, MessageComposer::MessageSender::SaveInTemplates, true);
+                     } else {
+-                        doSend(MessageComposer::MessageSender::SendLater, MessageComposer::MessageSender::SaveInDrafts);
++                        doSend(MessageComposer::MessageSender::SendLater, MessageComposer::MessageSender::SaveInDrafts, true);
+                     }
+                     break;
+                 }
+--- a/kmail/editor/kmcomposerwin.h
++++ b/kmail/editor/kmcomposerwin.h
+@@ -510,7 +510,8 @@ private:
+      * Send the message.
+      */
+     void doSend(MessageComposer::MessageSender::SendMethod method = MessageComposer::MessageSender::SendDefault,
+-                MessageComposer::MessageSender::SaveIn saveIn = MessageComposer::MessageSender::SaveInNone);
++                MessageComposer::MessageSender::SaveIn saveIn = MessageComposer::MessageSender::SaveInNone,
++                bool willSendItWithoutReediting = false);
+ 
+     void doDelayedSend(MessageComposer::MessageSender::SendMethod method, MessageComposer::MessageSender::SaveIn saveIn);
+ 
diff -Nru kdepim-16.04.3/debian/patches/series kdepim-16.04.3/debian/patches/series
--- kdepim-16.04.3/debian/patches/series	2016-11-23 13:27:45.000000000 +0100
+++ kdepim-16.04.3/debian/patches/series	2017-06-17 11:22:47.000000000 +0200
@@ -4,3 +4,4 @@
 fix_crash_on_exit.patch
 fix_crash_when_a_second_instance_of_KAlarm_is_started.patch
 konsolekalendar_help.patch
+fix-CVE-2017-9604.patch

signature.asc
Description: This is a digitally signed message part.

Bug#864804: CVE-2017-9604: Send Later with Delay bypasses OpenPGP

Reply via email to