Bug#990773: unblock: kf5-messagelib/4:20.08.3-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-qt-kde@lists.debian.org
Please unblock package kf5-messagelib
[ Reason ]
The -5 just fixes the CVE-2021-31855 handled in #989438:
If a user deletes an attachment of a encrypted mail, that this step
will trigger an upload of the encrypted mail to the IMAP server.
[ Impact ]
The software has a known CVE.
[ Tests ]
Uploaded the -5 several days ago without any bad user response. The
upstream bugfix also did not triggered any bad user expierience on other
linux distros.
[ Risks ]
The fix is very simple just a single line. Myself has reviewd the
upstream bugfix, so I'm quite confident, that I'm sure that this fixes
the CVE properly
[ Checklist ]
[ x ] all changes are documented in the d/changelog
[ x ] I reviewed all changes and I approve them
[ x ] attach debdiff against the package in testing
[ Other info ]
Forgotten to mention the bugnumber in d/changelog.
unblock kf5-messagelib/4:20.08.3-5
diff -Nru kf5-messagelib-20.08.3/debian/changelog kf5-messagelib-20.08.3/debian/changelog
--- kf5-messagelib-20.08.3/debian/changelog 2021-04-06 16:22:38.000000000 +0200
+++ kf5-messagelib-20.08.3/debian/changelog 2021-06-23 12:48:07.000000000 +0200
@@ -1,3 +1,10 @@
+kf5-messagelib (4:20.08.3-5) unstable; urgency=high
+
+ [ Norbert Preining ]
+ * Backport upstream fix for CVE-2021-31855.
+
+ -- Sandro Knauß <hefee@debian.org> Wed, 23 Jun 2021 12:48:07 +0200
+
kf5-messagelib (4:20.08.3-4) unstable; urgency=medium
* Fix broken patch series file (Closes: #986452).
diff -Nru kf5-messagelib-20.08.3/debian/patches/series kf5-messagelib-20.08.3/debian/patches/series
--- kf5-messagelib-20.08.3/debian/patches/series 2021-04-06 16:11:15.000000000 +0200
+++ kf5-messagelib-20.08.3/debian/patches/series 2021-06-10 16:33:14.000000000 +0200
@@ -4,3 +4,4 @@
messagecomposer-Move-protected-headers-to-signed-par.patch
mail-thread-ignored-and-mail-thread-watched-exist-in.patch
KeyResolver-Enable-ContactPreferences-again.patch
+upstream-3b5b171e-cv-2021-31855.patch
diff -Nru kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch
--- kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch 1970-01-01 01:00:00.000000000 +0100
+++ kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch 2021-06-10 16:33:14.000000000 +0200
@@ -0,0 +1,24 @@
+From 3b5b171e91ce78b966c98b1292a1bcbc8d984799 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <kloecker@kde.org>
+Date: Thu, 29 Apr 2021 22:13:38 +0200
+Subject: [PATCH] Fix CVE-2021-31855
+
+Deleting an attachment of a decrypted encrypted message stored on a remote server
+(e.g. an IMAP server) causes KMail to upload the decrypted content of the message
+to the remote server. This is not easily noticeable by the user because KMail does
+not display the decrypted content.
+---
+ messageviewer/src/viewer/viewer_p.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/messageviewer/src/viewer/viewer_p.cpp
++++ b/messageviewer/src/viewer/viewer_p.cpp
+@@ -418,7 +418,7 @@ bool ViewerPrivate::deleteAttachment(KMi
+ #ifndef QT_NO_TREEVIEW
+ mMimePartTree->mimePartModel()->setRoot(modifiedMessage);
+ #endif
+- mMessageItem.setPayloadFromData(modifiedMessage->encodedContent());
++ mMessageItem.setPayloadFromData(mMessage->encodedContent());
+ Akonadi::ItemModifyJob *job = new Akonadi::ItemModifyJob(mMessageItem, mSession);
+ job->disableRevisionCheck();
+ connect(job, &KJob::result, this, &ViewerPrivate::itemModifiedResult);
Reply to: