Your message dated Wed, 7 Jul 2021 18:27:00 +0200
with message-id <YOXV1CpVi5aXv/o...@ramacher.at>
and subject line Re: Bug#990773: unblock: kf5-messagelib/4:20.08.3-5
has caused the Debian Bug report #990773,
regarding unblock: kf5-messagelib/4:20.08.3-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
990773: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990773
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-qt-...@lists.debian.org
Please unblock package kf5-messagelib
[ Reason ]
The -5 just fixes the CVE-2021-31855 handled in #989438:
If a user deletes an attachment of a encrypted mail, that this step
will trigger an upload of the encrypted mail to the IMAP server.
[ Impact ]
The software has a known CVE.
[ Tests ]
Uploaded the -5 several days ago without any bad user response. The
upstream bugfix also did not triggered any bad user expierience on other
linux distros.
[ Risks ]
The fix is very simple just a single line. Myself has reviewd the
upstream bugfix, so I'm quite confident, that I'm sure that this fixes
the CVE properly
[ Checklist ]
[ x ] all changes are documented in the d/changelog
[ x ] I reviewed all changes and I approve them
[ x ] attach debdiff against the package in testing
[ Other info ]
Forgotten to mention the bugnumber in d/changelog.
unblock kf5-messagelib/4:20.08.3-5
diff -Nru kf5-messagelib-20.08.3/debian/changelog
kf5-messagelib-20.08.3/debian/changelog
--- kf5-messagelib-20.08.3/debian/changelog 2021-04-06 16:22:38.000000000
+0200
+++ kf5-messagelib-20.08.3/debian/changelog 2021-06-23 12:48:07.000000000
+0200
@@ -1,3 +1,10 @@
+kf5-messagelib (4:20.08.3-5) unstable; urgency=high
+
+ [ Norbert Preining ]
+ * Backport upstream fix for CVE-2021-31855.
+
+ -- Sandro Knauß <he...@debian.org> Wed, 23 Jun 2021 12:48:07 +0200
+
kf5-messagelib (4:20.08.3-4) unstable; urgency=medium
* Fix broken patch series file (Closes: #986452).
diff -Nru kf5-messagelib-20.08.3/debian/patches/series
kf5-messagelib-20.08.3/debian/patches/series
--- kf5-messagelib-20.08.3/debian/patches/series 2021-04-06
16:11:15.000000000 +0200
+++ kf5-messagelib-20.08.3/debian/patches/series 2021-06-10
16:33:14.000000000 +0200
@@ -4,3 +4,4 @@
messagecomposer-Move-protected-headers-to-signed-par.patch
mail-thread-ignored-and-mail-thread-watched-exist-in.patch
KeyResolver-Enable-ContactPreferences-again.patch
+upstream-3b5b171e-cv-2021-31855.patch
diff -Nru
kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
--- kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
1970-01-01 01:00:00.000000000 +0100
+++ kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
2021-06-10 16:33:14.000000000 +0200
@@ -0,0 +1,24 @@
+From 3b5b171e91ce78b966c98b1292a1bcbc8d984799 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <kloec...@kde.org>
+Date: Thu, 29 Apr 2021 22:13:38 +0200
+Subject: [PATCH] Fix CVE-2021-31855
+
+Deleting an attachment of a decrypted encrypted message stored on a remote
server
+(e.g. an IMAP server) causes KMail to upload the decrypted content of the
message
+to the remote server. This is not easily noticeable by the user because KMail
does
+not display the decrypted content.
+---
+ messageviewer/src/viewer/viewer_p.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/messageviewer/src/viewer/viewer_p.cpp
++++ b/messageviewer/src/viewer/viewer_p.cpp
+@@ -418,7 +418,7 @@ bool ViewerPrivate::deleteAttachment(KMi
+ #ifndef QT_NO_TREEVIEW
+ mMimePartTree->mimePartModel()->setRoot(modifiedMessage);
+ #endif
+- mMessageItem.setPayloadFromData(modifiedMessage->encodedContent());
++ mMessageItem.setPayloadFromData(mMessage->encodedContent());
+ Akonadi::ItemModifyJob *job = new Akonadi::ItemModifyJob(mMessageItem,
mSession);
+ job->disableRevisionCheck();
+ connect(job, &KJob::result, this, &ViewerPrivate::itemModifiedResult);
--- End Message ---
--- Begin Message ---
On 2021-07-06 23:49:59 +0200, Sandro Knauß wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: debian-qt-...@lists.debian.org
>
> Please unblock package kf5-messagelib
>
> [ Reason ]
> The -5 just fixes the CVE-2021-31855 handled in #989438:
> If a user deletes an attachment of a encrypted mail, that this step
> will trigger an upload of the encrypted mail to the IMAP server.
>
> [ Impact ]
> The software has a known CVE.
>
> [ Tests ]
> Uploaded the -5 several days ago without any bad user response. The
> upstream bugfix also did not triggered any bad user expierience on other
> linux distros.
>
> [ Risks ]
> The fix is very simple just a single line. Myself has reviewd the
> upstream bugfix, so I'm quite confident, that I'm sure that this fixes
> the CVE properly
>
> [ Checklist ]
> [ x ] all changes are documented in the d/changelog
> [ x ] I reviewed all changes and I approve them
> [ x ] attach debdiff against the package in testing
>
> [ Other info ]
> Forgotten to mention the bugnumber in d/changelog.
>
> unblock kf5-messagelib/4:20.08.3-5
From https://tracker.debian.org/pkg/kf5-messagelib:
[2021-06-28] kf5-messagelib 4:20.08.3-5 MIGRATED to testing (Debian
testing watch)
Cheers
> diff -Nru kf5-messagelib-20.08.3/debian/changelog
> kf5-messagelib-20.08.3/debian/changelog
> --- kf5-messagelib-20.08.3/debian/changelog 2021-04-06 16:22:38.000000000
> +0200
> +++ kf5-messagelib-20.08.3/debian/changelog 2021-06-23 12:48:07.000000000
> +0200
> @@ -1,3 +1,10 @@
> +kf5-messagelib (4:20.08.3-5) unstable; urgency=high
> +
> + [ Norbert Preining ]
> + * Backport upstream fix for CVE-2021-31855.
> +
> + -- Sandro Knauß <he...@debian.org> Wed, 23 Jun 2021 12:48:07 +0200
> +
> kf5-messagelib (4:20.08.3-4) unstable; urgency=medium
>
> * Fix broken patch series file (Closes: #986452).
> diff -Nru kf5-messagelib-20.08.3/debian/patches/series
> kf5-messagelib-20.08.3/debian/patches/series
> --- kf5-messagelib-20.08.3/debian/patches/series 2021-04-06
> 16:11:15.000000000 +0200
> +++ kf5-messagelib-20.08.3/debian/patches/series 2021-06-10
> 16:33:14.000000000 +0200
> @@ -4,3 +4,4 @@
> messagecomposer-Move-protected-headers-to-signed-par.patch
> mail-thread-ignored-and-mail-thread-watched-exist-in.patch
> KeyResolver-Enable-ContactPreferences-again.patch
> +upstream-3b5b171e-cv-2021-31855.patch
> diff -Nru
> kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
> kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
> ---
> kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
> 1970-01-01 01:00:00.000000000 +0100
> +++
> kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
> 2021-06-10 16:33:14.000000000 +0200
> @@ -0,0 +1,24 @@
> +From 3b5b171e91ce78b966c98b1292a1bcbc8d984799 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <kloec...@kde.org>
> +Date: Thu, 29 Apr 2021 22:13:38 +0200
> +Subject: [PATCH] Fix CVE-2021-31855
> +
> +Deleting an attachment of a decrypted encrypted message stored on a remote
> server
> +(e.g. an IMAP server) causes KMail to upload the decrypted content of the
> message
> +to the remote server. This is not easily noticeable by the user because
> KMail does
> +not display the decrypted content.
> +---
> + messageviewer/src/viewer/viewer_p.cpp | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +--- a/messageviewer/src/viewer/viewer_p.cpp
> ++++ b/messageviewer/src/viewer/viewer_p.cpp
> +@@ -418,7 +418,7 @@ bool ViewerPrivate::deleteAttachment(KMi
> + #ifndef QT_NO_TREEVIEW
> + mMimePartTree->mimePartModel()->setRoot(modifiedMessage);
> + #endif
> +- mMessageItem.setPayloadFromData(modifiedMessage->encodedContent());
> ++ mMessageItem.setPayloadFromData(mMessage->encodedContent());
> + Akonadi::ItemModifyJob *job = new Akonadi::ItemModifyJob(mMessageItem,
> mSession);
> + job->disableRevisionCheck();
> + connect(job, &KJob::result, this, &ViewerPrivate::itemModifiedResult);
--
Sebastian Ramacher
signature.asc
Description: PGP signature
--- End Message ---
