Bug#960306: marked as done (kio-extras: CVE-2020-12755)

To: Pino Toscano <pino@debian.org>
Subject: Bug#960306: marked as done (kio-extras: CVE-2020-12755)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 11 Nov 2020 15:21:03 +0000
Message-id: <[🔎] handler.960306.D960306.160510794330985.ackdone@bugs.debian.org>
Reply-to: 960306@bugs.debian.org
References: <E1kcrtk-0001aV-On@fasolo.debian.org> <158921673173.1436091.4708461178715430797.reportbug@eldamar.local>

Your message dated Wed, 11 Nov 2020 15:19:00 +0000
with message-id <E1kcrtk-0001aV-On@fasolo.debian.org>
and subject line Bug#960306: fixed in kio-extras 4:20.08.3-1
has caused the Debian Bug report #960306,
regarding kio-extras: CVE-2020-12755
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
960306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960306
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kio-extras: CVE-2020-12755
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 11 May 2020 19:05:31 +0200
Message-id: <158921673173.1436091.4708461178715430797.reportbug@eldamar.local>

Source: kio-extras
Version: 4:19.12.3-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for kio-extras.

CVE-2020-12755[0]:
| fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras
| through 20.04.0 makes a cacheAuthentication call even if the user had
| not set the keepPassword option. This may lead to unintended KWallet
| storage of a password.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-12755
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12755
[1] https://cgit.kde.org/kio-extras.git/commit/?id=d813cef3cecdec9af1532a40d677a203ff979145

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 960306-close@bugs.debian.org
Subject: Bug#960306: fixed in kio-extras 4:20.08.3-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 11 Nov 2020 15:19:00 +0000
Message-id: <E1kcrtk-0001aV-On@fasolo.debian.org>
Reply-to: Pino Toscano <pino@debian.org>

Source: kio-extras
Source-Version: 4:20.08.3-1
Done: Pino Toscano <pino@debian.org>

We believe that the bug you reported is fixed in the latest version of
kio-extras, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 960306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated kio-extras package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Nov 2020 16:06:19 +0100
Source: kio-extras
Architecture: source
Version: 4:20.08.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Pino Toscano <pino@debian.org>
Closes: 960306 973216
Changes:
 kio-extras (4:20.08.3-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Sandro Knauß ]
   * Bump compat level to 13.
   * Add Rules-Requires-Root field to control.
   * New upstream release (20.04.1):
     - fixes CVE-2020-12755 (Closes: #960306)
   * Update build-deps and deps with the info from cmake.
 .
   [ Pino Toscano ]
   * New upstream release:
     - fixes build (Closes: #973216)
   * Update the build dependencies according to the upstream build system:
     - add libtirpc-dev for the NFS kioslave
     - add libkdsoap-dev for the SMB kioslave
   * Remove the explicit as-needed linking, as it is done by binutils now.
   * Re-export upstream signing key without extra signatures.
   * Set field Upstream-Contact in debian/copyright.
   * Remove obsolete fields Contact, Name from debian/upstream/metadata (already
     present in machine-readable debian/copyright).
Checksums-Sha1:
 fbaea79d1d195577b66329610276407a64ff6f96 3275 kio-extras_20.08.3-1.dsc
 b5d06495ee6b219e33718096ab4db408b30ee4ae 630900 kio-extras_20.08.3.orig.tar.xz
 95d4b5627b56fb3dc20f77b196f4e2b9aa71059b 488 kio-extras_20.08.3.orig.tar.xz.asc
 b5c19c2dfe3726ee851fb37e4fa8c7fa008ebf89 15908 kio-extras_20.08.3-1.debian.tar.xz
 34c44785ec2cd13fcc23637b22dcd647d502e428 20971 kio-extras_20.08.3-1_source.buildinfo
Checksums-Sha256:
 83b6a0e32344b40acb4e519ec3907551f554bccd8cff17c116e8ca33e0e315f6 3275 kio-extras_20.08.3-1.dsc
 2c0001a2e864173988c5b0916de4511ff4c5ea711e96e928f9299fc4b44af344 630900 kio-extras_20.08.3.orig.tar.xz
 d7c3fa4dfd5eb0368b2d97f96144d85357a7aa8f6ea9ba2a49e59eb90c79637d 488 kio-extras_20.08.3.orig.tar.xz.asc
 07bb748a97ae1eabb93b7ce2f8c1f2268ec62e74eae06a651feed902ba758151 15908 kio-extras_20.08.3-1.debian.tar.xz
 7bbd6c351ad1e374ee9f09c5b0d5a5bdb4f0fca4d1d7a8dde7b40c027053483d 20971 kio-extras_20.08.3-1_source.buildinfo
Files:
 5786d350e86b19bdf7e61589e5912c8f 3275 kde optional kio-extras_20.08.3-1.dsc
 ace008384064b21c1fb359aed58f68ec 630900 kde optional kio-extras_20.08.3.orig.tar.xz
 527e4031f2a9a584691cea522bffcaa5 488 kde optional kio-extras_20.08.3.orig.tar.xz.asc
 699e0c9025ea9d5dbedab2988e54b578 15908 kde optional kio-extras_20.08.3-1.debian.tar.xz
 214369aa04e0b21e8ad9dedd78702b3a 20971 kde optional kio-extras_20.08.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAl+r/hsACgkQLRkciEOx
P00XTw/+O6EsDdUSZw1/PcihbGx1jLyXDFpeU0WfCoaCmpEbL9cZ9j6dlC5iORhA
JRHpUoxDFsrCx1uUUZU3f666d452OGYGIh1QHmYjBF4YQK8HbT01SVcTEyx06x6T
RiH/pG9zIK27ZYmNQJa9oXjYhdQw1Z8cfmqHFHS6i8A2aF1j2eJmHJqwx8C8Jxbv
GRdqBhOvdNIDhPgRwFSfWs8pEIUW6x2QYFIbv/1BvUPqMoPgxCeQMA6ssMSyU0Er
miI9lz8kXWYb58ZmyW17orO7FAU3H3rW8kLaDKXpKuuEJ51frNtGjuaOVPwu1Rsw
mZaX6TkvC8+4MmGi5daJAzP6jQLNb1qD0ERwC8Do9axd5Q2f+1i8QtfqcodVTDHi
1iu0joF0fTDWKCk0uGmPjnRY08hS0okACvC785sQXwdJz2dPNfa+zk1NqXQaVumd
JldFLlb1vYOgKODRMrvg3O+4OjtPuE4i/1cZs23O20vgxwd69piB47Ku1+O0IDe+
m5g0iiFBxn1t+SDVRzKMFPyvxuldy1Uv/KkGYnFjhb3iFYPyaRrY0RF4y0+KifIa
jLgYQJK6gzouJTPX8VSdyzm5P3fI0t3U2yzXlhY0c+RzGODx8y4qtMsT+ymJ+Fy7
xseA/k7Mqz6P0R30WBPE4vclEdk+yppkfRB+xpgPRiEtL8lkBX0=
=YnKs
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: