Bug#926996: kmail: CVE-2019-10732: decryption based on replying to PGP or S/MIME encrypted emails

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#926996: kmail: CVE-2019-10732: decryption based on replying to PGP or S/MIME encrypted emails
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 13 Apr 2019 10:31:53 +0200
Message-id: <[🔎] 155514431375.29734.9166112587474396736.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 926996@bugs.debian.org

Source: kmail
Version: 4:18.08.3-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.kde.org/show_bug.cgi?id=404698

Hi,

The following vulnerability was published for kmail. It was reported
upstream at [1] but at point of writing the bugreport there is not
much information available (or fix).

CVE-2019-10732[0]:
| In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP
| encrypted emails can wrap them as sub-parts within a crafted multipart
| email. The encrypted part(s) can further be hidden using HTML/CSS or
| ASCII newline characters. This modified multipart email can be re-sent
| by the attacker to the intended receiver. If the receiver replies to
| this (benign looking) email, they unknowingly leak the plaintext of
| the encrypted message part(s) back to the attacker.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10732
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10732
[1] https://bugs.kde.org/show_bug.cgi?id=404698

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Prev by Date: Processed (with 1 error): merging 880516 900675
Next by Date: Bug#915319: kde-runtime FTBFS with samba 4.9
Previous by thread: Processed (with 1 error): merging 880516 900675
Next by thread: Bug#915319: kde-runtime FTBFS with samba 4.9
Index(es):
- Date
- Thread