Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
On Tue, Apr 09, 2019 at 06:49:16PM +0200, Ivo De Decker wrote:
> Hi Salvatore,
>
> On 4/8/19 10:59 PM, Salvatore Bonaccorso wrote:
> > Control: reassign -1 src:kdepim
> > On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote:
> > > Hi,
> > >
> > > On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote:
> > > > I now created a debdiff for kdepim. The patch depdends on the new symbol that
> > > > was added in new messageviewer (see #899127).
> > >
> > > Does this bug still affect buster/sid? From the bug log and the tracker for
> > > CVE-2017-17689, it look like kmail in buster/sid is not affected, but it would
> > > be good if someone could confirm that.
> >
> > I think the tracking problem was hiere that #899128 is associated with
> > src:meta-kde, but it should be src:kdepim (#899128) and respectively
> > kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib
> > in version 4:18.08.1-1. In stretch src:kdepim was a source package,
> > whilst in buster kdepim is a binary package produced by kde-meta, but
> > the issue lies there in src:kf5-messagelib.
>
> The tracker for CVE-2017-17689 doesn't list anything related to kdepim or
> src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced
> by src:meta-kde) in buster? If so, that should probably be stated explicitly
> in the tracker.
For buster the affected code is in src:kf5-messagelib and fixed in 4:18.08.1-1
In stretch the affected code is in src:kdepim
In Buster the binary package kdepim is now built out of src:meta-kde, but that
was never affected. That's we don't track src:meta-kde at all in
https://security-tracker.debian.org/tracker/CVE-2017-17689
Does that clarify?
Cheers,
Moritz
Reply to: