Bug#869574: stretch-pu: package kdepim/4:16.04.3-4

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 869574@bugs.debian.org
Subject: Bug#869574: stretch-pu: package kdepim/4:16.04.3-4
From: Sandro Knauß <hefee@debian.org>
Date: Mon, 21 Aug 2017 18:03:34 +0200
Message-id: <[🔎] 26849256.LIN6Wi79gC@tuxin>
Reply-to: Sandro Knauß <hefee@debian.org>, 869574@bugs.debian.org
In-reply-to: <1501341415.29960.27.camel@adam-barratt.org.uk>
References: <150090592804.17057.4247277536039199436.reportbug@tuxin.local> <3592537.mOV1IUofGs@tuxin> <1501341415.29960.27.camel@adam-barratt.org.uk> <150090592804.17057.4247277536039199436.reportbug@tuxin.local>

Hey,

now I rebuilt the package with the attached debdif on a sbuild -d stretch-
amd64 and tried kontact under a virtualbox.

Best Regards,

sandro

--
On Samstag, 29. Juli 2017 16:16:55 CEST Adam D. Barratt wrote:
> On Sat, 2017-07-29 at 14:24 +0200, Sandro Knauß wrote:
> > Hey,
> > 
> > > currently in stretch is 4:16.04.3-3. Thus the version which should
> > > preferably be used would be 4:16.04.3-3+deb9u1.
> > 
> > just to understand the process better:
> > * Do I need to send another debdiff with the corrected versionnumber first
> > before uploading?
> 
> If by that you mean taking the previously incorrectly generated diff and
> simply changing the version number it contains, then no.
> 
> > * Do I need to close this bug within the changelog entry?
> 
> No. The bug will be closed by us once the package is actually in stable.
> Until that point, the process is incomplete, so closing the bug would be
> illogical.
> 
> > * Are there any further issues with my debdiff?
> 
> Besides not being what has been requested multiple times?
> 
> The point of the process is to demonstrate that you can build - and have
> built - your proposed upload against the release that you're proposing
> to upload it to and to confirm what the debdiff of the resulting package
> against the target release looks like.
> 
> It's entirely possible that it will be the same as the diff between the
> stable and testing packages that you previously provided. That's by no
> means certain, however, and in any case diffing things that aren't what
> you're proposing to upload misses the point of the review step.
> 
> This isn't theoretical nitpicking. We've seen there be a distinct
> difference between what people propose and what they actually upload
> enough times in the past that there's no way we'll agree an update based
> on a hypothetical diff rather than an actually built and tested one.
> 
> Regards,
> 
> Adam

diff -Nru kdepim-16.04.3/debian/changelog kdepim-16.04.3/debian/changelog
--- kdepim-16.04.3/debian/changelog	2016-11-23 14:38:49.000000000 +0100
+++ kdepim-16.04.3/debian/changelog	2017-06-17 12:12:03.000000000 +0200
@@ -1,3 +1,13 @@
+kdepim (4:16.04.3-4~deb9u1) stretch; urgency=high
+
+  * Team upload.
+
+  [ Sandro Knauß ]
+  * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864804)
+    - Added upstream patch fix-CVE-2017-9604.patch
+
+ -- Sandro Knauß <hefee@debian.org>  Sat, 17 Jun 2017 12:12:03 +0200
+
 kdepim (4:16.04.3-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru kdepim-16.04.3/debian/patches/fix-CVE-2017-9604.patch kdepim-16.04.3/debian/patches/fix-CVE-2017-9604.patch
--- kdepim-16.04.3/debian/patches/fix-CVE-2017-9604.patch	1970-01-01 01:00:00.000000000 +0100
+++ kdepim-16.04.3/debian/patches/fix-CVE-2017-9604.patch	2017-06-17 12:12:03.000000000 +0200
@@ -0,0 +1,62 @@
+From 78c5552be2f00a4ac25bd77ca39386522fca70a8 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <montel@kde.org>
+Date: Fri, 2 Jun 2017 13:59:02 +0200
+Subject: Make sure that we use plugin when we use sendlater feature
+
+---
+ kmail/editor/kmcomposerwin.cpp | 9 +++++----
+ kmail/editor/kmcomposerwin.h   | 3 ++-
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kmail/editor/kmcomposerwin.cpp
++++ b/kmail/editor/kmcomposerwin.cpp
+@@ -2376,7 +2376,7 @@ void KMComposerWin::printComposeResult(K
+ }
+ 
+ void KMComposerWin::doSend(MessageComposer::MessageSender::SendMethod method,
+-                           MessageComposer::MessageSender::SaveIn saveIn)
++                           MessageComposer::MessageSender::SaveIn saveIn, bool willSendItWithoutReediting)
+ {
+     if (mStorageService->numProgressUpdateFile() > 0) {
+         KMessageBox::sorry(this, i18np("There is %1 file upload in progress.",
+@@ -2391,7 +2391,7 @@ void KMComposerWin::doSend(MessageCompos
+         }
+     }
+ 
+-    if (saveIn == MessageComposer::MessageSender::SaveInNone) {   // don't save as draft or template, send immediately
++    if (saveIn == MessageComposer::MessageSender::SaveInNone || willSendItWithoutReediting) {   // don't save as draft or template, send immediately
+         if (KEmailAddress::firstEmailAddress(from()).isEmpty()) {
+             if (!(mShowHeaders & HDR_FROM)) {
+                 mShowHeaders |= HDR_FROM;
+@@ -2558,6 +2558,7 @@ void KMComposerWin::slotSendLater()
+     if (!checkRecipientNumber()) {
+         return;
+     }
++    mComposerBase->setSendLaterInfo(nullptr);
+     if (mComposerBase->editor()->checkExternalEditorFinished()) {
+         const bool wasRegistered = (SendLater::SendLaterUtil::sentLaterAgentWasRegistered() && SendLater::SendLaterUtil::sentLaterAgentEnabled());
+         if (wasRegistered) {
+@@ -2580,9 +2581,9 @@ void KMComposerWin::slotSendLater()
+                 case SendLater::SendLaterDialog::SendDeliveryAtTime: {
+                     mComposerBase->setSendLaterInfo(info);
+                     if (info->isRecurrence()) {
+-                        doSend(MessageComposer::MessageSender::SendLater, MessageComposer::MessageSender::SaveInTemplates);
++                        doSend(MessageComposer::MessageSender::SendLater, MessageComposer::MessageSender::SaveInTemplates, true);
+                     } else {
+-                        doSend(MessageComposer::MessageSender::SendLater, MessageComposer::MessageSender::SaveInDrafts);
++                        doSend(MessageComposer::MessageSender::SendLater, MessageComposer::MessageSender::SaveInDrafts, true);
+                     }
+                     break;
+                 }
+--- a/kmail/editor/kmcomposerwin.h
++++ b/kmail/editor/kmcomposerwin.h
+@@ -510,7 +510,8 @@ private:
+      * Send the message.
+      */
+     void doSend(MessageComposer::MessageSender::SendMethod method = MessageComposer::MessageSender::SendDefault,
+-                MessageComposer::MessageSender::SaveIn saveIn = MessageComposer::MessageSender::SaveInNone);
++                MessageComposer::MessageSender::SaveIn saveIn = MessageComposer::MessageSender::SaveInNone,
++                bool willSendItWithoutReediting = false);
+ 
+     void doDelayedSend(MessageComposer::MessageSender::SendMethod method, MessageComposer::MessageSender::SaveIn saveIn);
+ 
diff -Nru kdepim-16.04.3/debian/patches/series kdepim-16.04.3/debian/patches/series
--- kdepim-16.04.3/debian/patches/series	2016-11-23 13:27:45.000000000 +0100
+++ kdepim-16.04.3/debian/patches/series	2017-06-17 12:12:03.000000000 +0200
@@ -4,3 +4,4 @@
 fix_crash_on_exit.patch
 fix_crash_when_a_second_instance_of_KAlarm_is_started.patch
 konsolekalendar_help.patch
+fix-CVE-2017-9604.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#869574: stretch-pu: package kdepim/4:16.04.3-4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#872818: stretch-pu: package cvxopt/1.1.4-1.5+deb9u1
Next by Date: Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Previous by thread: Processed: Re: Bug#872818: stretch-pu: package cvxopt/1.1.4-1.5+deb9u1
Next by thread: Bug#869574: stretch-pu: package kdepim/4:16.04.3-4
Index(es):
- Date
- Thread