Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-qt-...@lists.debian.org
Please unblock package kf5-messagelib [ Reason ] The -5 just fixes the CVE-2021-31855 handled in #989438: If a user deletes an attachment of a encrypted mail, that this step will trigger an upload of the encrypted mail to the IMAP server. [ Impact ] The software has a known CVE. [ Tests ] Uploaded the -5 several days ago without any bad user response. The upstream bugfix also did not triggered any bad user expierience on other linux distros. [ Risks ] The fix is very simple just a single line. Myself has reviewd the upstream bugfix, so I'm quite confident, that I'm sure that this fixes the CVE properly [ Checklist ] [ x ] all changes are documented in the d/changelog [ x ] I reviewed all changes and I approve them [ x ] attach debdiff against the package in testing [ Other info ] Forgotten to mention the bugnumber in d/changelog. unblock kf5-messagelib/4:20.08.3-5
diff -Nru kf5-messagelib-20.08.3/debian/changelog kf5-messagelib-20.08.3/debian/changelog --- kf5-messagelib-20.08.3/debian/changelog 2021-04-06 16:22:38.000000000 +0200 +++ kf5-messagelib-20.08.3/debian/changelog 2021-06-23 12:48:07.000000000 +0200 @@ -1,3 +1,10 @@ +kf5-messagelib (4:20.08.3-5) unstable; urgency=high + + [ Norbert Preining ] + * Backport upstream fix for CVE-2021-31855. + + -- Sandro Knauß <he...@debian.org> Wed, 23 Jun 2021 12:48:07 +0200 + kf5-messagelib (4:20.08.3-4) unstable; urgency=medium * Fix broken patch series file (Closes: #986452). diff -Nru kf5-messagelib-20.08.3/debian/patches/series kf5-messagelib-20.08.3/debian/patches/series --- kf5-messagelib-20.08.3/debian/patches/series 2021-04-06 16:11:15.000000000 +0200 +++ kf5-messagelib-20.08.3/debian/patches/series 2021-06-10 16:33:14.000000000 +0200 @@ -4,3 +4,4 @@ messagecomposer-Move-protected-headers-to-signed-par.patch mail-thread-ignored-and-mail-thread-watched-exist-in.patch KeyResolver-Enable-ContactPreferences-again.patch +upstream-3b5b171e-cv-2021-31855.patch diff -Nru kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch --- kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch 1970-01-01 01:00:00.000000000 +0100 +++ kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch 2021-06-10 16:33:14.000000000 +0200 @@ -0,0 +1,24 @@ +From 3b5b171e91ce78b966c98b1292a1bcbc8d984799 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <kloec...@kde.org> +Date: Thu, 29 Apr 2021 22:13:38 +0200 +Subject: [PATCH] Fix CVE-2021-31855 + +Deleting an attachment of a decrypted encrypted message stored on a remote server +(e.g. an IMAP server) causes KMail to upload the decrypted content of the message +to the remote server. This is not easily noticeable by the user because KMail does +not display the decrypted content. +--- + messageviewer/src/viewer/viewer_p.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/messageviewer/src/viewer/viewer_p.cpp ++++ b/messageviewer/src/viewer/viewer_p.cpp +@@ -418,7 +418,7 @@ bool ViewerPrivate::deleteAttachment(KMi + #ifndef QT_NO_TREEVIEW + mMimePartTree->mimePartModel()->setRoot(modifiedMessage); + #endif +- mMessageItem.setPayloadFromData(modifiedMessage->encodedContent()); ++ mMessageItem.setPayloadFromData(mMessage->encodedContent()); + Akonadi::ItemModifyJob *job = new Akonadi::ItemModifyJob(mMessageItem, mSession); + job->disableRevisionCheck(); + connect(job, &KJob::result, this, &ViewerPrivate::itemModifiedResult);