Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

To: 899128@bugs.debian.org
Cc: security@debian.org, Yves-Alexis Perez <corsac@debian.org>
Subject: Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
From: Sandro Knauß <hefee@debian.org>
Date: Sat, 19 May 2018 19:18:06 +0200
Message-id: <[🔎] 2812864.mU03vGeRom@tuxin>
Reply-to: Sandro Knauß <hefee@debian.org>, 899128@bugs.debian.org
References: <[🔎] 152630478232.31531.13923733201808973896.reportbug@scapa>

Control: tags -1 +patch

Hey,

I now created a debdiff for kdepim. The patch depdends on the new symbol that 
was added in new messageviewer (see #899127).

hefee

diff -Nru kdepim-16.04.3/debian/changelog kdepim-16.04.3/debian/changelog
--- kdepim-16.04.3/debian/changelog	2017-06-17 12:12:03.000000000 +0200
+++ kdepim-16.04.3/debian/changelog	2018-05-19 19:11:15.000000000 +0200
@@ -1,3 +1,15 @@
+kdepim (4:16.04.3-4~deb9u2) stretch; urgency=high
+
+  * Team upload.
+
+  [ Sandro Knauß ]
+  * Limit CVE-2017-17689 (EFAIL) for kmail (Closes: #899128)
+    - Added upstream patch (modified to apply)
+      upstream-Distinguish-between-settings-and-explicit-overrides-.patch
+    - Update dependendy against kf5-messagelib
+
+ -- Sandro Knauß <hefee@debian.org>  Sat, 19 May 2018 19:11:15 +0200
+
 kdepim (4:16.04.3-4~deb9u1) stretch; urgency=high
 
   * Team upload.
diff -Nru kdepim-16.04.3/debian/control kdepim-16.04.3/debian/control
--- kdepim-16.04.3/debian/control	2017-06-17 12:12:03.000000000 +0200
+++ kdepim-16.04.3/debian/control	2018-05-19 18:21:40.000000000 +0200
@@ -73,7 +73,7 @@
                libkf5messagecomposer-dev,
                libkf5messagecore-dev (>= 5.2.0~),
                libkf5messagelist-dev,
-               libkf5messageviewer-dev (>= 5.2.0~),
+               libkf5messageviewer-dev (>= 4:16.04.3-3~deb9u2),
                libkf5mime-dev (>= 15.12~),
                libkf5newstuff-dev (>= 5.19.0~),
                libkf5notifyconfig-dev (>= 5.19.0~),
diff -Nru kdepim-16.04.3/debian/patches/series kdepim-16.04.3/debian/patches/series
--- kdepim-16.04.3/debian/patches/series	2017-06-17 12:12:03.000000000 +0200
+++ kdepim-16.04.3/debian/patches/series	2018-05-19 17:49:42.000000000 +0200
@@ -5,3 +5,4 @@
 fix_crash_when_a_second_instance_of_KAlarm_is_started.patch
 konsolekalendar_help.patch
 fix-CVE-2017-9604.patch
+upstream-Distinguish-between-settings-and-explicit-overrides-.patch
diff -Nru kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch
--- kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch	1970-01-01 01:00:00.000000000 +0100
+++ kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch	2018-05-19 18:18:28.000000000 +0200
@@ -0,0 +1,115 @@
+From 88558f6273650a03d2828027e04116564ca18f20 Mon Sep 17 00:00:00 2001
+From: Volker Krause <vkrause@kde.org>
+Date: Thu, 26 Apr 2018 18:44:24 +0200
+Subject: [PATCH 3/9] Distinguish between settings and explicit overrides for
+ external content
+
+Summary: See D12391 and D12393 in messagelib.
+
+Reviewers: mlaurent, dvratil, knauss
+
+Reviewed By: knauss
+
+Subscribers: #kde_pim
+
+Tags: #kde_pim
+
+Differential Revision: https://phabricator.kde.org/D12394
+---
+ kmail/kmmainwidget.cpp    | 6 +++---
+ kmail/kmreadermainwin.cpp | 4 ++--
+ kmail/kmreadermainwin.h   | 2 +-
+ kmail/kmreaderwin.cpp     | 9 +++++++--
+ kmail/kmreaderwin.h       | 3 ++-
+ 5 files changed, 15 insertions(+), 9 deletions(-)
+
+--- a/kmail/kmmainwidget.cpp
++++ b/kmail/kmmainwidget.cpp
+@@ -513,7 +513,7 @@ void KMMainWidget::folderSelected(const
+     readFolderConfig();
+     if (mMsgView) {
+         mMsgView->setDisplayFormatMessageOverwrite(mFolderDisplayFormatPreference);
+-        mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference);
++        mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference);
+     }
+ 
+     if (!mCurrentFolder->isValid() && (mMessagePane->count() < 2)) {
+@@ -1593,7 +1593,7 @@ void KMMainWidget::slotOverrideHtmlLoadE
+     mFolderHtmlLoadExtPreference = !mFolderHtmlLoadExtPreference;
+ 
+     if (mMsgView) {
+-        mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference);
++        mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference);
+         mMsgView->update(true);
+     }
+ }
+@@ -4391,7 +4391,7 @@ void KMMainWidget::itemsReceived(const A
+     mMsgView->setMessage(copyItem);
+     // reset HTML override to the folder setting
+     mMsgView->setDisplayFormatMessageOverwrite(mFolderDisplayFormatPreference);
+-    mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference);
++    mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference);
+     mMsgView->setDecryptMessageOverwrite(false);
+     mMsgActions->setCurrentMessage(copyItem);
+ }
+--- a/kmail/kmreadermainwin.cpp
++++ b/kmail/kmreadermainwin.cpp
+@@ -72,14 +72,14 @@
+ 
+ using namespace MailCommon;
+ 
+-KMReaderMainWin::KMReaderMainWin(MessageViewer::Viewer::DisplayFormatMessage format, bool htmlLoadExtOverride,
++KMReaderMainWin::KMReaderMainWin(MessageViewer::Viewer::DisplayFormatMessage format, bool htmlLoadExtDefault,
+                                  char *name)
+     : KMail::SecondaryWindow(name ? name : "readerwindow#")
+ {
+     mReaderWin = new KMReaderWin(this, this, actionCollection());
+     //mReaderWin->setShowCompleteMessage( true );
+     mReaderWin->setDisplayFormatMessageOverwrite(format);
+-    mReaderWin->setHtmlLoadExtOverride(htmlLoadExtOverride);
++    mReaderWin->setHtmlLoadExtDefault(htmlLoadExtDefault);
+     mReaderWin->setDecryptMessageOverwrite(true);
+     initKMReaderMainWin();
+ }
+--- a/kmail/kmreadermainwin.h
++++ b/kmail/kmreadermainwin.h
+@@ -35,7 +35,7 @@ class KMAIL_EXPORT KMReaderMainWin : pub
+     Q_OBJECT
+ 
+ public:
+-    KMReaderMainWin(MessageViewer::Viewer::DisplayFormatMessage format, bool htmlLoadExtOverride, char *name = Q_NULLPTR);
++    KMReaderMainWin(MessageViewer::Viewer::DisplayFormatMessage format, bool htmlLoadExtDefault, char *name = Q_NULLPTR);
+     explicit KMReaderMainWin(char *name = Q_NULLPTR);
+     KMReaderMainWin(KMime::Content *aMsgPart, MessageViewer::Viewer::DisplayFormatMessage format, const QString &encoding, char *name = Q_NULLPTR);
+     virtual ~KMReaderMainWin();
+--- a/kmail/kmreaderwin.cpp
++++ b/kmail/kmreaderwin.cpp
+@@ -406,9 +406,14 @@ void KMReaderWin::setDisplayFormatMessag
+     mViewer->setDisplayFormatMessageOverwrite(format);
+ }
+ 
+-void KMReaderWin::setHtmlLoadExtOverride(bool Q_DECL_OVERRIDE)
++void KMReaderWin::setHtmlLoadExtDefault(bool loadExtDefault)
+ {
+-    mViewer->setHtmlLoadExtOverride(Q_DECL_OVERRIDE);
++    mViewer->setHtmlLoadExtDefault(loadExtDefault);
++}
++
++void KMReaderWin::setHtmlLoadExtOverride(bool loadExtOverride)
++{
++    mViewer->setHtmlLoadExtOverride(loadExtOverride);
+ }
+ 
+ bool KMReaderWin::htmlMail() const
+--- a/kmail/kmreaderwin.h
++++ b/kmail/kmreaderwin.h
+@@ -95,7 +95,8 @@ public:
+ 
+     /** Override default load external references setting */
+     bool htmlLoadExtOverride() const;
+-    void setHtmlLoadExtOverride(bool override);
++    void setHtmlLoadExtDefault(bool loadExtDefault);
++    void setHtmlLoadExtOverride(bool loadExtOverride);
+ 
+     /** Is html mail to be supported? Takes into account override */
+     bool htmlMail() const;

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Bug#898634: kmail: efail attack against S/MIME
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Processed: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
Next by Date: Bug#886214: kdepim lost kjots
Previous by thread: Processed: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
Next by thread: Bug#895718: python-pyqt5: import PyQt5.QtCore fails
Index(es):
- Date
- Thread