Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Sandro Knauß <hefee@debian.org>]

Hey,

now I rebuilt the package with the attached debdif on a sbuild -d stretch-
amd64 and tried kontact under a virtualbox.

Best Regards,

sandro

--
On Montag, 24. Juli 2017 16:26:22 CEST Adam D. Barratt wrote:
> On 2017-07-24 15:45, Sandro Knauß wrote:
> > Control: tags -1 - moreinfo
> > 
> >> We'll need to see a debdiff of the proposed package, built and tested
> >> on
> >> stretch, before going any further, please.
> > 
> > The debdiff is the version, that is currently in testing. The diff was
> > created
> > when testing was in deep freeze, so actually the version state, that is
> > now in
> > stretch. The versionnumber may need to be adjusted.
> 
> It *will* need to be adjusted. You can't re-upload with a version number
> that's already been used.
> 
> Again, what was requested was a debdiff of the actual proposed package,
> not simply the result of comparing the current unstable/testing package
> against stable.
> 
> Regards,
> 
> Adam

diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog
--- kf5-messagelib-16.04.3/debian/changelog	2016-08-02 14:07:27.000000000 +0200
+++ kf5-messagelib-16.04.3/debian/changelog	2017-06-17 09:08:12.000000000 +0200
@@ -1,3 +1,13 @@
+kf5-messagelib (4:16.04.3-3~deb9u1) stretch; urgency=high
+
+  * Team upload.
+
+  [ Sandro Knauß ]
+  * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803)
+    - Added upstream patch fix-CVE-2017-9604.patch
+
+ -- Sandro Knauß <hefee@debian.org>  Sat, 17 Jun 2017 09:08:12 +0200
+
 kf5-messagelib (4:16.04.3-2) unstable; urgency=high
 
   [ Automatic packaging ]
diff -Nru kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch
--- kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch	1970-01-01 01:00:00.000000000 +0100
+++ kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch	2017-06-17 09:08:12.000000000 +0200
@@ -0,0 +1,26 @@
+From c54706e990bbd6498e7b1597ec7900bc809e8197 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <montel@kde.org>
+Date: Fri, 2 Jun 2017 13:56:41 +0200
+Subject: Make sure to sign/encrypt message when we send later
+
+(cherry picked from commit 4048f5e46d0a7d62d93d74fd2861dd70fb2ad660)
+---
+ messagecomposer/src/composer/composerviewbase.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp
+index d44b8b2..672ea1e 100644
+--- a/messagecomposer/src/composer/composerviewbase.cpp
++++ b/messagecomposer/src/composer/composerviewbase.cpp
+@@ -468,7 +468,7 @@ void MessageComposer::ComposerViewBase::slotEmailAddressResolved(KJob *job)
+     // if so, we create a composer per format
+     // if we aren't signing or encrypting, this just returns a single empty message
+     bool wasCanceled = false;
+-    if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone) {
++    if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone && !mSendLaterInfo) {
+         MessageComposer::Composer *composer = new MessageComposer::Composer;
+         composer->setNoCrypto(true);
+         m_composers.append(composer);
+-- 
+cgit v0.11.2
+
diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series
--- kf5-messagelib-16.04.3/debian/patches/series	2016-08-02 14:07:27.000000000 +0200
+++ kf5-messagelib-16.04.3/debian/patches/series	2017-06-17 09:08:12.000000000 +0200
@@ -1,2 +1,3 @@
 upstream_add_copying_files.patch
 make-it-impossible-to-override-css-settings-from-a-h.patch
+fix-CVE-2017-9604.patch

Attachment: signature.asc
Description: This is a digitally signed message part.