Bug#864803: marked as done (CVE-2017-9604: Send Later with Delay bypasses OpenPGP)

To: Sandro Knauß <hefee@debian.org>
Subject: Bug#864803: marked as done (CVE-2017-9604: Send Later with Delay bypasses OpenPGP)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 18 Jun 2017 00:18:06 +0000
Message-id: <[🔎] handler.864803.D864803.149774487420259.ackdone@bugs.debian.org>
References: <E1dMNrL-000FGY-I4@fasolo.debian.org> <[🔎] 149750521053.30877.8811369600356414282.reportbug@eldamar.local>

Your message dated Sun, 18 Jun 2017 00:14:31 +0000
with message-id <E1dMNrL-000FGY-I4@fasolo.debian.org>
and subject line Bug#864803: fixed in kf5-messagelib 4:16.04.3-3
has caused the Debian Bug report #864803,
regarding CVE-2017-9604: Send Later with Delay bypasses OpenPGP
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
864803: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864803
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2017-9604: Send Later with Delay bypasses OpenPGP
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 15 Jun 2017 07:40:10 +0200
Message-id: <[🔎] 149750521053.30877.8811369600356414282.reportbug@eldamar.local>

Source: kf5-messagelib
Version: 4:16.04.3-2
Severity: important
Tags: patch upstream security
Control: clone -1 -2
Control: reassign -2 kdepim 4:4.14.1-1

Hi,

the following vulnerability was published for kf5-messagelib (and
kmail).

CVE-2017-9604[0]:
| KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in
| KDE Applications before 17.04.2, do not ensure that a plugin's
| sign/encrypt action occurs during use of the Send Later feature, which
| allows remote attackers to obtain sensitive information by sniffing the
| network.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9604
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9604
[1] https://www.kde.org/info/security/advisory-20170615-1.txt

Looking at the patchset I see it would apply as well to
kdepim/4:4.14.1-1 to some extend. I though have some difficulties to
correctly classify not knowing this Send Later feature. Can you please
double check the above.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 864803-close@bugs.debian.org
Subject: Bug#864803: fixed in kf5-messagelib 4:16.04.3-3
From: Sandro Knauß <hefee@debian.org>
Date: Sun, 18 Jun 2017 00:14:31 +0000
Message-id: <E1dMNrL-000FGY-I4@fasolo.debian.org>

Source: kf5-messagelib
Source-Version: 4:16.04.3-3

We believe that the bug you reported is fixed in the latest version of
kf5-messagelib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864803@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Knauß <hefee@debian.org> (supplier of updated kf5-messagelib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Jun 2017 09:08:12 +0200
Source: kf5-messagelib
Binary: kf5-messagelib-data libkf5messagecomposer5 libkf5messagecomposer-dev libkf5messagecore5 libkf5messagecore-dev libkf5messagelist5 libkf5messagelist-dev libkf5messageviewer5 libkf5messageviewer-dev libkf5templateparser5 libkf5templateparser-dev
Architecture: source
Version: 4:16.04.3-3
Distribution: unstable
Urgency: high
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Sandro Knauß <hefee@debian.org>
Description:
 kf5-messagelib-data - KDE PIM messaging library, data files
 libkf5messagecomposer-dev - KDE PIM messaging library, composer devel files
 libkf5messagecomposer5 - KDE PIM messaging library, composer library
 libkf5messagecore-dev - KDE PIM messaging library, core devel files
 libkf5messagecore5 - KDE PIM messaging library, core library
 libkf5messagelist-dev - KDE PIM messaging library, message list devel files
 libkf5messagelist5 - KDE PIM messaging library, message list library
 libkf5messageviewer-dev - KDE PIM messaging library, message viewer devel files
 libkf5messageviewer5 - KDE PIM messaging library, message viewer library
 libkf5templateparser-dev - KDE PIM messaging library, template parser devel files
 libkf5templateparser5 - KMail template parser library
Closes: 864803
Changes:
 kf5-messagelib (4:16.04.3-3) unstable; urgency=high
 .
   * Team upload.
 .
   [ Sandro Knauß ]
   * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803)
     - Added upstream patch fix-CVE-2017-9604.patch
Checksums-Sha1:
 455fd95342bff936f66d64a30c4044003af4eca2 4286 kf5-messagelib_16.04.3-3.dsc
 5ea0a027b6ac479df6dbccf46abe0d7f71a8210f 44336 kf5-messagelib_16.04.3-3.debian.tar.xz
 d2715f2824fcedd766d478c4f5b9f8a0c166eaa8 21676 kf5-messagelib_16.04.3-3_source.buildinfo
Checksums-Sha256:
 eba13fed12e19a47a1effd77852e26194b7659c3ba0042f7a9d4568068babde2 4286 kf5-messagelib_16.04.3-3.dsc
 0618bfb318b013ffebbe6256d865576c4edcfa530c85eb05627e94f1f26f896c 44336 kf5-messagelib_16.04.3-3.debian.tar.xz
 74a105243055d92513000e7f4d39af0ed83d4ca03a1b2eb1dcb4da34dfb84fa7 21676 kf5-messagelib_16.04.3-3_source.buildinfo
Files:
 8892077949c5e6c97606e65b687194d4 4286 libs optional kf5-messagelib_16.04.3-3.dsc
 1860a69da4666f28fc0947f38ebdb6c2 44336 libs optional kf5-messagelib_16.04.3-3.debian.tar.xz
 13e5b3152e4dc0c7aec0fbff375cee15 21676 libs optional kf5-messagelib_16.04.3-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAllE1/URHGhlZmVlQGRl
Ymlhbi5vcmcACgkQ462wCFBgVjaO6w/+Mt3cZCt8CCnn9ZrGmUhL6fRsPnhXBa5f
xDxtf7nEe/FkBVyR4nRpVuyOr/6vVmlQmfls9rJMWpD0CBaxJbTfncZJoIjXp+nE
pbt31qQN/hlZ3ul3Q/WFKotApX5eJ/crbqjXkF490Ri0zLlHz8O67ScaQwEOHQ36
pkqrIq3ExYJzpvujP/fMfeDr5JQrXid2DJ7VlGar0iRtcdzef/c+0UPPpE1pC0yF
GQm02XtRk8A4UBwOVQ6KGBDUd5np6FX1gLh27S/E0+NYpp0seAzMPfp91C69wSJs
Aoi67EC3c9CD6b9Q1OrkHiF8pmkhAuB9nANTqJ098MjPfmflhjSui6+lvUqjWFa6
F9e2NfrWXTlWIaMWS5Mj0j57L6SwUt2yVqin9Q/tG9aRO3IyPEBEPk/xuxV2dB3U
kuWgxsnR6RUj1zPgR+cjk0Eeq/FqB6R53cjlrdStOFpnYyLCvQ7COkatumpY2YAE
KFFzgABTfZ7s/6JiWPXrFR1wSgF8RAAeRr/2Fls1l27VNdmFvIzoT97UrtW0vnFP
KXqurWx/TMBsmT+wfIruHYlrNK992TUJKo7WiOErIYgu1ZFIZDkrTeJ6J54KVaK/
DBxekc5NcoKyF1VibQ++T1MXBhBVND4b2EOND3wSw2QgekUeAzstidCWoFjhbTQc
fv8/Hd4ANuM=
=sAv0
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#864803: CVE-2017-9604: Send Later with Delay bypasses OpenPGP
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: found 864927 in 4:5.8.7.1-1, found 864927 in 4:16.04.3-1, tagging 864927, tagging 864927
Next by Date: Bug#864804: marked as done (CVE-2017-9604: Send Later with Delay bypasses OpenPGP)
Previous by thread: Bug#864804: CVE-2017-9604: Send Later with Delay bypasses OpenPGP
Next by thread: Bug#864804: marked as done (CVE-2017-9604: Send Later with Delay bypasses OpenPGP)
Index(es):
- Date
- Thread