Bug#958054: marked as done (kmail: CVE-2020-11880)

To: John Scott <jscott@posteo.net>
Subject: Bug#958054: marked as done (kmail: CVE-2020-11880)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 01 Jul 2020 00:21:03 +0000
Message-id: <[🔎] handler.958054.D958054.159356272818549.ackdone@bugs.debian.org>
Reply-to: 958054@bugs.debian.org
References: <4805313.FXlFleh81E@t450> <158715667217.1372594.11577362343190010357.reportbug@eldamar.local>

Your message dated Tue, 30 Jun 2020 20:18:35 -0400
with message-id <4805313.FXlFleh81E@t450>
and subject line Re: Bug#958054: kmail: CVE-2020-11880
has caused the Debian Bug report #958054,
regarding kmail: CVE-2020-11880
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
958054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958054
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kmail: CVE-2020-11880
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 17 Apr 2020 22:51:12 +0200
Message-id: <158715667217.1372594.11577362343190010357.reportbug@eldamar.local>

Source: kmail
Version: 4:19.08.3-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

The following vulnerability was published for kmail, it was fixed in
v19.12.3 upstream.

CVE-2020-11880[0]:
| An issue was discovered in KDE KMail before 19.12.3. By using the
| proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or
| other source of mailto links) can make KMail attach local files to a
| composed email message without showing a warning to the user, as
| demonstrated by an attach=.bash_history value.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-11880
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11880
[1] https://cgit.kde.org/kmail.git/commit/?id=2a348eccd352260f192d9b449492071bbf2b34b1

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 958054-done@bugs.debian.org

Subject: Re: Bug#958054: kmail: CVE-2020-11880

From: John Scott <jscott@posteo.net>

Date: Tue, 30 Jun 2020 20:18:35 -0400

Message-id: <4805313.FXlFleh81E@t450>

In-reply-to: <158715667217.1372594.11577362343190010357.reportbug@eldamar.local>

References: <158715667217.1372594.11577362343190010357.reportbug@eldamar.local>
Version: 4:20.04.0-1

On Friday, April 17, 2020 4:51:12 PM EDT Salvatore Bonaccorso wrote:
> The following vulnerability was published for kmail, it was fixed in
> v19.12.3 upstream.

Unfortunately KDE's cgit seems to be down right now so I can't have a look at 
the patch. This was seemingly missed in the 24.04.0 changelog so I'm closing 
this bug. Whether it's small and workable enough to be backported to Buster is 
yet to be determined, not that I've tried reproducing it there.

https://cgit.kde.org/kmail.git/commit/?
id=2a348eccd352260f192d9b449492071bbf2b34b1
Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

Reply to:

Next by Date: Processing of clazy_1.7-1_source.changes
Next by thread: Processing of clazy_1.7-1_source.changes
Index(es):
- Date
- Thread