Package: kmail Version: 4:4.4.11.1+l10n-3+b1 Severity: normal Tags: patch Dear Maintainer,
KMail (1.3.7) is unable to verify signatures for PGP/MIME encrypted messages. This bug was fixed upstream in https://projects.kde.org/projects/kde/kdepim/repository/revisions/44a3eb070b74414256f8f8ef58f73fd67678f5e4 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (650, 'testing'), (600, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.7.1 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kmail depends on: ii kde-runtime 4:4.8.4-2 ii kdepim-runtime 4:4.4.11.1-6 ii kdepimlibs-kio-plugins 4:4.8.4-2 ii libakonadi-contact4 4:4.8.4-2 ii libakonadi-kde4 4:4.8.4-2 ii libc6 2.17-3 ii libgcc1 1:4.8.0-7 ii libgpgme++2 4:4.8.4-2 ii libkabc4 4:4.8.4-2 ii libkcal4 4:4.8.4-2 ii libkcmutils4 4:4.8.4-4 ii libkde3support4 4:4.8.4-4 ii libkdecore5 4:4.8.4-4 ii libkdepim4 4:4.4.11.1+l10n-3+b1 ii libkdeui5 4:4.8.4-4 ii libkhtml5 4:4.8.4-4 ii libkimap4 4:4.8.4-2 ii libkio5 4:4.8.4-4 ii libkldap4 4:4.8.4-2 ii libkleo4 4:4.4.11.1+l10n-3+b1 ii libkmime4 4:4.8.4-2 ii libknotifyconfig4 4:4.8.4-4 ii libkontactinterface4 4:4.8.4-2 ii libkparts4 4:4.8.4-4 ii libkpgp4 4:4.4.11.1+l10n-3+b1 ii libkpimidentities4 4:4.8.4-2 ii libkpimtextedit4 4:4.8.4-2 ii libkpimutils4 4:4.8.4-2 ii libkresources4 4:4.8.4-2 ii libksieve4 4:4.4.11.1+l10n-3+b1 ii libktnef4 4:4.8.4-2 ii libmailtransport4 4:4.8.4-2 ii libmessagecore4 4:4.4.11.1+l10n-3+b1 ii libmessagelist4 4:4.4.11.1+l10n-3+b1 ii libmimelib4 4:4.4.11.1+l10n-3+b1 ii libnepomuk4 4:4.8.4-4 ii libphonon4 4:4.6.0.0-3 ii libqt4-dbus 4:4.8.2+dfsg-11 ii libqt4-network 4:4.8.2+dfsg-11 ii libqt4-qt3support 4:4.8.2+dfsg-11 ii libqt4-xml 4:4.8.2+dfsg-11 ii libqtcore4 4:4.8.2+dfsg-11 ii libqtgui4 4:4.8.2+dfsg-11 ii libstdc++6 4.8.0-7 ii libthreadweaver4 4:4.8.4-4 ii perl 5.14.2-21 ii phonon 4:4.6.0.0-3 Versions of packages kmail recommends: ii gnupg-agent 2.0.20-1 ii gnupg2 2.0.20-1 ii pinentry-gtk2 [pinentry-x11] 0.8.1-1 ii pinentry-qt4 [pinentry-x11] 0.8.1-1 Versions of packages kmail suggests: ii bogofilter 1.2.2+dfsg1-3 pn clamav | f-prot-installer <none> ii kaddressbook 4:4.4.11.1+l10n-3+b1 pn kleopatra <none> ii procmail 3.22-20 -- no debconf information
diff -Nru kdepim-4.4.11.1+l10n/debian/changelog kdepim-4.4.11.1+l10n/debian/changelog --- kdepim-4.4.11.1+l10n/debian/changelog 2012-06-10 13:12:30.000000000 +0100 +++ kdepim-4.4.11.1+l10n/debian/changelog 2013-05-30 09:48:18.000000000 +0100 @@ -1,3 +1,11 @@ +kdepim (4:4.4.11.1+l10n-3.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Backport upstream commit 44a3eb070b74414256f8f8ef58f73fd67678f5e4 to fix + OpenPGP signaure verification + + -- Martin Albrecht <martinralbre...@googlemail.com> Thu, 30 May 2013 09:46:38 +0100 + kdepim (4:4.4.11.1+l10n-3) unstable; urgency=low * Team upload. diff -Nru kdepim-4.4.11.1+l10n/debian/patches/series kdepim-4.4.11.1+l10n/debian/patches/series --- kdepim-4.4.11.1+l10n/debian/patches/series 2012-06-10 12:56:33.000000000 +0100 +++ kdepim-4.4.11.1+l10n/debian/patches/series 2013-05-30 09:39:23.000000000 +0100 @@ -6,3 +6,4 @@ upstream_Build-with-clang.patch upstream_Fix-crash-in-Folder-destructor.patch upstream_in-c4_String-c4_String-only-call-memset-if-the-numbe.patch +upstream-verify-signature-rfc-3156.patch diff -Nru kdepim-4.4.11.1+l10n/debian/patches/upstream-verify-signature-rfc-3156.patch kdepim-4.4.11.1+l10n/debian/patches/upstream-verify-signature-rfc-3156.patch --- kdepim-4.4.11.1+l10n/debian/patches/upstream-verify-signature-rfc-3156.patch 1970-01-01 01:00:00.000000000 +0100 +++ kdepim-4.4.11.1+l10n/debian/patches/upstream-verify-signature-rfc-3156.patch 2013-05-30 09:43:01.000000000 +0100 @@ -0,0 +1,46 @@ +Index: kdepim-4.4.11.1+l10n/kmail/objecttreeparser.cpp +=================================================================== +--- kdepim-4.4.11.1+l10n.orig/kmail/objecttreeparser.cpp 2011-04-20 21:03:31.000000000 +0100 ++++ kdepim-4.4.11.1+l10n/kmail/objecttreeparser.cpp 2013-05-30 09:42:58.466795851 +0100 +@@ -605,8 +605,40 @@ + messagePart.status = i18n("Different results for signatures"); + } + } +- if ( messagePart.status_code & GPGME_SIG_STAT_GOOD ) ++ if ( messagePart.status_code & GPGME_SIG_STAT_GOOD ) { + messagePart.isGoodSignature = true; ++ if ( !doCheck ) { ++ // We have a good signature but did not do a verify, ++ // this means the signature was already validated before by ++ // decryptverify for example. ++ Q_ASSERT( !key.keyID() ); // There should be no key set without doCheck ++ // Search for the key by it's fingerprint so that we can check for ++ // trust etc. ++ ++ Kleo::KeyListJob * job = cryptProto->keyListJob( false ); // local, no sigs ++ ++ if ( !job ) { ++ kDebug() << "The Crypto backend does not support listing keys. "; ++ } else { ++ std::vector<GpgME::Key> found_keys; ++ // As we are local it is ok to make this synchronous ++ GpgME::KeyListResult res = job->exec( QStringList( signature.fingerprint() ), false, found_keys ); ++ if ( res.error() ) { ++ kDebug() << "Error while searching key for Fingerprint: " << signature.fingerprint(); ++ } ++ if ( found_keys.size() > 1 ) { ++ // Should not Happen ++ kDebug() << "Oops: Found more then one Key for Fingerprint: " << signature.fingerprint(); ++ } ++ if ( found_keys.size() != 1 ) { ++ // Should not Happen at this point ++ kDebug() << "Oops: Found no Key for Fingerprint: " << signature.fingerprint(); ++ } else { ++ key = found_keys[0]; ++ } ++ } ++ } ++ } + + // save extended signature status flags + messagePart.sigSummary = signature.summary();
diff -Nru kdepim-4.4.11.1+l10n/debian/changelog kdepim-4.4.11.1+l10n/debian/changelog --- kdepim-4.4.11.1+l10n/debian/changelog 2012-06-10 13:12:30.000000000 +0100 +++ kdepim-4.4.11.1+l10n/debian/changelog 2013-05-30 09:48:18.000000000 +0100 @@ -1,3 +1,11 @@ +kdepim (4:4.4.11.1+l10n-3.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Backport upstream commit 44a3eb070b74414256f8f8ef58f73fd67678f5e4 to fix + OpenPGP signaure verification + + -- Martin Albrecht <martinralbre...@googlemail.com> Thu, 30 May 2013 09:46:38 +0100 + kdepim (4:4.4.11.1+l10n-3) unstable; urgency=low * Team upload. diff -Nru kdepim-4.4.11.1+l10n/debian/patches/series kdepim-4.4.11.1+l10n/debian/patches/series --- kdepim-4.4.11.1+l10n/debian/patches/series 2012-06-10 12:56:33.000000000 +0100 +++ kdepim-4.4.11.1+l10n/debian/patches/series 2013-05-30 09:39:23.000000000 +0100 @@ -6,3 +6,4 @@ upstream_Build-with-clang.patch upstream_Fix-crash-in-Folder-destructor.patch upstream_in-c4_String-c4_String-only-call-memset-if-the-numbe.patch +upstream-verify-signature-rfc-3156.patch diff -Nru kdepim-4.4.11.1+l10n/debian/patches/upstream-verify-signature-rfc-3156.patch kdepim-4.4.11.1+l10n/debian/patches/upstream-verify-signature-rfc-3156.patch --- kdepim-4.4.11.1+l10n/debian/patches/upstream-verify-signature-rfc-3156.patch 1970-01-01 01:00:00.000000000 +0100 +++ kdepim-4.4.11.1+l10n/debian/patches/upstream-verify-signature-rfc-3156.patch 2013-05-30 09:43:01.000000000 +0100 @@ -0,0 +1,46 @@ +Index: kdepim-4.4.11.1+l10n/kmail/objecttreeparser.cpp +=================================================================== +--- kdepim-4.4.11.1+l10n.orig/kmail/objecttreeparser.cpp 2011-04-20 21:03:31.000000000 +0100 ++++ kdepim-4.4.11.1+l10n/kmail/objecttreeparser.cpp 2013-05-30 09:42:58.466795851 +0100 +@@ -605,8 +605,40 @@ + messagePart.status = i18n("Different results for signatures"); + } + } +- if ( messagePart.status_code & GPGME_SIG_STAT_GOOD ) ++ if ( messagePart.status_code & GPGME_SIG_STAT_GOOD ) { + messagePart.isGoodSignature = true; ++ if ( !doCheck ) { ++ // We have a good signature but did not do a verify, ++ // this means the signature was already validated before by ++ // decryptverify for example. ++ Q_ASSERT( !key.keyID() ); // There should be no key set without doCheck ++ // Search for the key by it's fingerprint so that we can check for ++ // trust etc. ++ ++ Kleo::KeyListJob * job = cryptProto->keyListJob( false ); // local, no sigs ++ ++ if ( !job ) { ++ kDebug() << "The Crypto backend does not support listing keys. "; ++ } else { ++ std::vector<GpgME::Key> found_keys; ++ // As we are local it is ok to make this synchronous ++ GpgME::KeyListResult res = job->exec( QStringList( signature.fingerprint() ), false, found_keys ); ++ if ( res.error() ) { ++ kDebug() << "Error while searching key for Fingerprint: " << signature.fingerprint(); ++ } ++ if ( found_keys.size() > 1 ) { ++ // Should not Happen ++ kDebug() << "Oops: Found more then one Key for Fingerprint: " << signature.fingerprint(); ++ } ++ if ( found_keys.size() != 1 ) { ++ // Should not Happen at this point ++ kDebug() << "Oops: Found no Key for Fingerprint: " << signature.fingerprint(); ++ } else { ++ key = found_keys[0]; ++ } ++ } ++ } ++ } + + // save extended signature status flags + messagePart.sigSummary = signature.summary();