Hey, I now created a debdiff for kf5-messagelib. This patch touches the public ABI and adds one function, but this should not be a problem. Should I update the messageveiwer.symbols, too? And what I should add there, as there should not been Debian revision added. hefee
diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog
--- kf5-messagelib-16.04.3/debian/changelog 2017-06-17 09:08:12.000000000 +0200
+++ kf5-messagelib-16.04.3/debian/changelog 2018-05-19 17:16:55.000000000 +0200
@@ -1,3 +1,16 @@
+kf5-messagelib (4:16.04.3-3~deb9u2) stretch; urgency=high
+
+ * Team upload.
+
+ [ Sandro Knauß ]
+ * Limit outcome of CVE-2017-17689: kmail: efail attack against S/MIME
+ (Closes: #899127)
+ - Added upstream patches (modified to apply to old source):
+ * upstream-Distinguish-between-settings-and-explicit-override-f.patch
+ * upstream-Load-external-references-in-encrypted-emails-only-on.patch
+
+ -- Sandro Knauß <hefee@debian.org> Sat, 19 May 2018 17:16:55 +0200
+
kf5-messagelib (4:16.04.3-3~deb9u1) stretch; urgency=high
* Team upload.
diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series
--- kf5-messagelib-16.04.3/debian/patches/series 2017-06-17 09:08:12.000000000 +0200
+++ kf5-messagelib-16.04.3/debian/patches/series 2018-05-19 16:13:08.000000000 +0200
@@ -1,3 +1,5 @@
upstream_add_copying_files.patch
make-it-impossible-to-override-css-settings-from-a-h.patch
fix-CVE-2017-9604.patch
+upstream-Load-external-references-in-encrypted-emails-only-on.patch
+upstream-Distinguish-between-settings-and-explicit-override-f.patch
diff -Nru kf5-messagelib-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-override-f.patch kf5-messagelib-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-override-f.patch
--- kf5-messagelib-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-override-f.patch 1970-01-01 01:00:00.000000000 +0100
+++ kf5-messagelib-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-override-f.patch 2018-05-19 17:10:27.000000000 +0200
@@ -0,0 +1,152 @@
+From 0bb1c5b12745b801f1aa4d6c630911845409e8ee Mon Sep 17 00:00:00 2001
+From: Volker Krause <vkrause@kde.org>
+Date: Thu, 26 Apr 2018 18:31:36 +0200
+Subject: [PATCH 33/44] Distinguish between settings and explicit override for
+ external content
+
+Summary:
+This will allow KMail to properly communicate the difference also when
+using per-folder settings for loading external references. This in turn
+makes D12391 also work in that case.
+
+Reviewers: mlaurent, dvratil, knauss
+
+Reviewed By: knauss
+
+Subscribers: #kde_pim
+
+Tags: #kde_pim
+
+Differential Revision: https://phabricator.kde.org/D12393
+---
+ messageviewer/src/viewer/viewer.cpp | 10 ++++++++--
+ messageviewer/src/viewer/viewer.h | 15 +++++++++++++--
+ messageviewer/src/viewer/viewer_p.cpp | 17 ++++++++++-------
+ messageviewer/src/viewer/viewer_p.h | 19 +++++++++++++++----
+ 4 files changed, 46 insertions(+), 15 deletions(-)
+
+--- a/messageviewer/src/viewer/viewer.cpp
++++ b/messageviewer/src/viewer/viewer.cpp
+@@ -258,10 +258,16 @@ void Viewer::setDisplayFormatMessageOver
+ d->setDisplayFormatMessageOverwrite(format);
+ }
+
+-void Viewer::setHtmlLoadExtOverride(bool override)
++void Viewer::setHtmlLoadExtDefault(bool loadExtDefault)
+ {
+ Q_D(Viewer);
+- d->setHtmlLoadExtOverride(override);
++ d->setHtmlLoadExtDefault(loadExtDefault);
++}
++
++void Viewer::setHtmlLoadExtOverride(bool loadExtOverride)
++{
++ Q_D(Viewer);
++ d->setHtmlLoadExtOverride(loadExtOverride);
+ }
+
+ void Viewer::setAppName(const QString &appName)
+--- a/messageviewer/src/viewer/viewer.h
++++ b/messageviewer/src/viewer/viewer.h
+@@ -203,8 +203,19 @@ public:
+ /** Get the load external references override setting */
+ bool htmlLoadExtOverride() const;
+
+- /** Override default load external references setting */
+- void setHtmlLoadExtOverride(bool override);
++ /** Default behavior for loading external references.
++ * Use this for specifying the external reference loading behavior as
++ * specified in the user settings.
++ * @see setHtmlLoadExtOverride
++ */
++ void setHtmlLoadExtDefault(bool loadExtDefault);
++
++ /** Override default load external references setting
++ * @warning This must only be called when the user has explicitly
++ * been asked to retrieve external references!
++ * @see setHtmlLoadExtDefault
++ */
++ void setHtmlLoadExtOverride(bool loadExtOverride);
+
+ /** Is html mail to be supported? Takes into account override */
+ bool htmlMail() const;
+--- a/messageviewer/src/viewer/viewer_p.cpp
++++ b/messageviewer/src/viewer/viewer_p.cpp
+@@ -217,7 +217,7 @@ ViewerPrivate::ViewerPrivate(Viewer *aPa
+ mDisplayFormatMessageOverwrite = MessageViewer::Viewer::UseGlobalSetting;
+ mHtmlLoadExtOverride = false;
+
+- mHtmlLoadExternalGlobalSetting = false;
++ mHtmlLoadExternalDefaultSetting = false;
+ mHtmlMailGlobalSetting = false;
+
+ mUpdateReaderWinTimer.setObjectName(QStringLiteral("mUpdateReaderWinTimer"));
+@@ -1113,7 +1113,6 @@ void ViewerPrivate::readConfig()
+ }
+
+ mHtmlMailGlobalSetting = MessageViewer::MessageViewerSettings::self()->htmlMail();
+- mHtmlLoadExternalGlobalSetting = MessageViewer::MessageViewerSettings::self()->htmlLoadExternal();
+
+ if (mZoomActionMenu) {
+ mZoomActionMenu->setZoomTextOnly(MessageViewer::MessageViewerSettings::self()->zoomTextOnly());
+@@ -2655,8 +2654,8 @@ bool ViewerPrivate::htmlLoadExternal() c
+ return mHtmlLoadExtOverride;
+ }
+
+- return ((mHtmlLoadExternalGlobalSetting && !mHtmlLoadExtOverride) ||
+- (!mHtmlLoadExternalGlobalSetting && mHtmlLoadExtOverride));
++ return ((mHtmlLoadExternalDefaultSetting && !mHtmlLoadExtOverride) ||
++ (!mHtmlLoadExternalDefaultSetting && mHtmlLoadExtOverride));
+ }
+
+ void ViewerPrivate::setDisplayFormatMessageOverwrite(Viewer::DisplayFormatMessage format)
+@@ -2673,9 +2672,14 @@ Viewer::DisplayFormatMessage ViewerPriva
+ return mDisplayFormatMessageOverwrite;
+ }
+
+-void ViewerPrivate::setHtmlLoadExtOverride(bool override)
++void ViewerPrivate::setHtmlLoadExtDefault(bool loadExtDefault)
+ {
+- mHtmlLoadExtOverride = override;
++ mHtmlLoadExternalDefaultSetting = loadExtDefault;
++}
++
++void ViewerPrivate::setHtmlLoadExtOverride(bool loadExtOverride)
++{
++ mHtmlLoadExtOverride = loadExtOverride;
+ }
+
+ bool ViewerPrivate::htmlLoadExtOverride() const
+--- a/messageviewer/src/viewer/viewer_p.h
++++ b/messageviewer/src/viewer/viewer_p.h
+@@ -379,8 +379,19 @@ public:
+ /** Get the load external references override setting */
+ bool htmlLoadExtOverride() const;
+
+- /** Override default load external references setting */
+- void setHtmlLoadExtOverride(bool override);
++ /** Default behavior for loading external references.
++ * Use this for specifying the external reference loading behavior as
++ * specified in the user settings.
++ * @see setHtmlLoadExtOverride
++ */
++ void setHtmlLoadExtDefault(bool loadExtDefault);
++
++ /** Override default load external references setting
++ * @warning This must only be called when the user has explicitly
++ * been asked to retrieve external references!
++ * @see setHtmlLoadExtDefault
++ */
++ void setHtmlLoadExtOverride(bool loadExtOverride);
+
+ /** Enforce message decryption. */
+ void setDecryptMessageOverwrite(bool overwrite = true);
+@@ -588,7 +599,7 @@ private:
+ public:
+ NodeHelper *mNodeHelper;
+ bool mHtmlMailGlobalSetting;
+- bool mHtmlLoadExternalGlobalSetting;
++ bool mHtmlLoadExternalDefaultSetting;
+ bool mHtmlLoadExtOverride;
+ KMime::Message::Ptr mMessage; //the current message, if it was set manually
+ Akonadi::Item mMessageItem; //the message item from Akonadi
diff -Nru kf5-messagelib-16.04.3/debian/patches/upstream-Load-external-references-in-encrypted-emails-only-on.patch kf5-messagelib-16.04.3/debian/patches/upstream-Load-external-references-in-encrypted-emails-only-on.patch
--- kf5-messagelib-16.04.3/debian/patches/upstream-Load-external-references-in-encrypted-emails-only-on.patch 1970-01-01 01:00:00.000000000 +0100
+++ kf5-messagelib-16.04.3/debian/patches/upstream-Load-external-references-in-encrypted-emails-only-on.patch 2018-05-19 17:10:27.000000000 +0200
@@ -0,0 +1,37 @@
+From 221a5d4ee8ce6c73d927299596f7e0dec22ad230 Mon Sep 17 00:00:00 2001
+From: Volker Krause <vkrause@kde.org>
+Date: Thu, 26 Apr 2018 18:23:15 +0200
+Subject: [PATCH 32/44] Load external references in encrypted emails only on
+ explicit request
+
+Reviewers: mlaurent, dvratil, knauss
+
+Reviewed By: knauss
+
+Subscribers: #kde_pim
+
+Tags: #kde_pim
+
+Differential Revision: https://phabricator.kde.org/D12391
+---
+ messageviewer/src/viewer/viewer_p.cpp | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/messageviewer/src/viewer/viewer_p.cpp
++++ b/messageviewer/src/viewer/viewer_p.cpp
+@@ -2646,6 +2646,15 @@ bool ViewerPrivate::htmlMail() const
+
+ bool ViewerPrivate::htmlLoadExternal() const
+ {
++ if (!mNodeHelper || !mMessage) {
++ return mHtmlLoadExtOverride;
++ }
++
++ // when displaying an encrypted message, only load external resources on explicit request
++ if (mNodeHelper->overallEncryptionState(mMessage.data()) != MessageViewer::KMMsgNotEncrypted) {
++ return mHtmlLoadExtOverride;
++ }
++
+ return ((mHtmlLoadExternalGlobalSetting && !mHtmlLoadExtOverride) ||
+ (!mHtmlLoadExternalGlobalSetting && mHtmlLoadExtOverride));
+ }
Attachment:
signature.asc
Description: This is a digitally signed message part.