Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

[Ivo De Decker <ivodd@debian.org>]

Hi Salvatore,

On 4/8/19 10:59 PM, Salvatore Bonaccorso wrote:
> Control: reassign -1 src:kdepim
> On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote:
> > Hi,
> >
> > On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote:
> > > I now created a debdiff for kdepim. The patch depdends on the new symbol that
> > > was added in new messageviewer (see #899127).
> >
> > Does this bug still affect buster/sid? From the bug log and the tracker for
> > CVE-2017-17689, it look like kmail in buster/sid is not affected, but it would
> > be good if someone could confirm that.
>
> I think the tracking problem was hiere that #899128 is associated with
> src:meta-kde, but it should be src:kdepim (#899128) and respectively
> kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib
> in version 4:18.08.1-1. In stretch src:kdepim was a source package,
> whilst in buster kdepim is a binary package produced by kde-meta, but
> the issue lies there in src:kf5-messagelib.

The tracker for CVE-2017-17689 doesn't list anything related to kdepim 
or src:meta-kde for buster. Is the issue fixed in the binary kdepim 
(produced by src:meta-kde) in buster? If so, that should probably be 
stated explicitly in the tracker.

The reassign means that the BTS thinks this issue doesn't affect buster 
anymore. I'm assuming that's correct.

Thanks,

Ivo