Your message dated Wed, 7 Jul 2021 18:27:00 +0200 with message-id <YOXV1CpVi5aXv/om@ramacher.at> and subject line Re: Bug#990773: unblock: kf5-messagelib/4:20.08.3-5 has caused the Debian Bug report #990773, regarding unblock: kf5-messagelib/4:20.08.3-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 990773: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990773 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: kf5-messagelib/4:20.08.3-5
- From: Sandro Knauß <hefee@debian.org>
- Date: Tue, 06 Jul 2021 23:49:59 +0200
- Message-id: <[🔎] 162560819972.32811.7761254351823926481.reportbug@tuxin.local>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-qt-kde@lists.debian.org Please unblock package kf5-messagelib [ Reason ] The -5 just fixes the CVE-2021-31855 handled in #989438: If a user deletes an attachment of a encrypted mail, that this step will trigger an upload of the encrypted mail to the IMAP server. [ Impact ] The software has a known CVE. [ Tests ] Uploaded the -5 several days ago without any bad user response. The upstream bugfix also did not triggered any bad user expierience on other linux distros. [ Risks ] The fix is very simple just a single line. Myself has reviewd the upstream bugfix, so I'm quite confident, that I'm sure that this fixes the CVE properly [ Checklist ] [ x ] all changes are documented in the d/changelog [ x ] I reviewed all changes and I approve them [ x ] attach debdiff against the package in testing [ Other info ] Forgotten to mention the bugnumber in d/changelog. unblock kf5-messagelib/4:20.08.3-5diff -Nru kf5-messagelib-20.08.3/debian/changelog kf5-messagelib-20.08.3/debian/changelog --- kf5-messagelib-20.08.3/debian/changelog 2021-04-06 16:22:38.000000000 +0200 +++ kf5-messagelib-20.08.3/debian/changelog 2021-06-23 12:48:07.000000000 +0200 @@ -1,3 +1,10 @@ +kf5-messagelib (4:20.08.3-5) unstable; urgency=high + + [ Norbert Preining ] + * Backport upstream fix for CVE-2021-31855. + + -- Sandro Knauß <hefee@debian.org> Wed, 23 Jun 2021 12:48:07 +0200 + kf5-messagelib (4:20.08.3-4) unstable; urgency=medium * Fix broken patch series file (Closes: #986452). diff -Nru kf5-messagelib-20.08.3/debian/patches/series kf5-messagelib-20.08.3/debian/patches/series --- kf5-messagelib-20.08.3/debian/patches/series 2021-04-06 16:11:15.000000000 +0200 +++ kf5-messagelib-20.08.3/debian/patches/series 2021-06-10 16:33:14.000000000 +0200 @@ -4,3 +4,4 @@ messagecomposer-Move-protected-headers-to-signed-par.patch mail-thread-ignored-and-mail-thread-watched-exist-in.patch KeyResolver-Enable-ContactPreferences-again.patch +upstream-3b5b171e-cv-2021-31855.patch diff -Nru kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch --- kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch 1970-01-01 01:00:00.000000000 +0100 +++ kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch 2021-06-10 16:33:14.000000000 +0200 @@ -0,0 +1,24 @@ +From 3b5b171e91ce78b966c98b1292a1bcbc8d984799 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <kloecker@kde.org> +Date: Thu, 29 Apr 2021 22:13:38 +0200 +Subject: [PATCH] Fix CVE-2021-31855 + +Deleting an attachment of a decrypted encrypted message stored on a remote server +(e.g. an IMAP server) causes KMail to upload the decrypted content of the message +to the remote server. This is not easily noticeable by the user because KMail does +not display the decrypted content. +--- + messageviewer/src/viewer/viewer_p.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/messageviewer/src/viewer/viewer_p.cpp ++++ b/messageviewer/src/viewer/viewer_p.cpp +@@ -418,7 +418,7 @@ bool ViewerPrivate::deleteAttachment(KMi + #ifndef QT_NO_TREEVIEW + mMimePartTree->mimePartModel()->setRoot(modifiedMessage); + #endif +- mMessageItem.setPayloadFromData(modifiedMessage->encodedContent()); ++ mMessageItem.setPayloadFromData(mMessage->encodedContent()); + Akonadi::ItemModifyJob *job = new Akonadi::ItemModifyJob(mMessageItem, mSession); + job->disableRevisionCheck(); + connect(job, &KJob::result, this, &ViewerPrivate::itemModifiedResult);
--- End Message ---
--- Begin Message ---
- To: Sandro Knauß <hefee@debian.org>, 990773-done@bugs.debian.org
- Subject: Re: Bug#990773: unblock: kf5-messagelib/4:20.08.3-5
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Wed, 7 Jul 2021 18:27:00 +0200
- Message-id: <YOXV1CpVi5aXv/om@ramacher.at>
- In-reply-to: <[🔎] 162560819972.32811.7761254351823926481.reportbug@tuxin.local>
- References: <[🔎] 162560819972.32811.7761254351823926481.reportbug@tuxin.local>
On 2021-07-06 23:49:59 +0200, Sandro Knauß wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: debian-qt-kde@lists.debian.org > > Please unblock package kf5-messagelib > > [ Reason ] > The -5 just fixes the CVE-2021-31855 handled in #989438: > If a user deletes an attachment of a encrypted mail, that this step > will trigger an upload of the encrypted mail to the IMAP server. > > [ Impact ] > The software has a known CVE. > > [ Tests ] > Uploaded the -5 several days ago without any bad user response. The > upstream bugfix also did not triggered any bad user expierience on other > linux distros. > > [ Risks ] > The fix is very simple just a single line. Myself has reviewd the > upstream bugfix, so I'm quite confident, that I'm sure that this fixes > the CVE properly > > [ Checklist ] > [ x ] all changes are documented in the d/changelog > [ x ] I reviewed all changes and I approve them > [ x ] attach debdiff against the package in testing > > [ Other info ] > Forgotten to mention the bugnumber in d/changelog. > > unblock kf5-messagelib/4:20.08.3-5 From https://tracker.debian.org/pkg/kf5-messagelib: [2021-06-28] kf5-messagelib 4:20.08.3-5 MIGRATED to testing (Debian testing watch) Cheers > diff -Nru kf5-messagelib-20.08.3/debian/changelog kf5-messagelib-20.08.3/debian/changelog > --- kf5-messagelib-20.08.3/debian/changelog 2021-04-06 16:22:38.000000000 +0200 > +++ kf5-messagelib-20.08.3/debian/changelog 2021-06-23 12:48:07.000000000 +0200 > @@ -1,3 +1,10 @@ > +kf5-messagelib (4:20.08.3-5) unstable; urgency=high > + > + [ Norbert Preining ] > + * Backport upstream fix for CVE-2021-31855. > + > + -- Sandro Knauß <hefee@debian.org> Wed, 23 Jun 2021 12:48:07 +0200 > + > kf5-messagelib (4:20.08.3-4) unstable; urgency=medium > > * Fix broken patch series file (Closes: #986452). > diff -Nru kf5-messagelib-20.08.3/debian/patches/series kf5-messagelib-20.08.3/debian/patches/series > --- kf5-messagelib-20.08.3/debian/patches/series 2021-04-06 16:11:15.000000000 +0200 > +++ kf5-messagelib-20.08.3/debian/patches/series 2021-06-10 16:33:14.000000000 +0200 > @@ -4,3 +4,4 @@ > messagecomposer-Move-protected-headers-to-signed-par.patch > mail-thread-ignored-and-mail-thread-watched-exist-in.patch > KeyResolver-Enable-ContactPreferences-again.patch > +upstream-3b5b171e-cv-2021-31855.patch > diff -Nru kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch > --- kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch 1970-01-01 01:00:00.000000000 +0100 > +++ kf5-messagelib-20.08.3/debian/patches/upstream-3b5b171e-cv-2021-31855.patch 2021-06-10 16:33:14.000000000 +0200 > @@ -0,0 +1,24 @@ > +From 3b5b171e91ce78b966c98b1292a1bcbc8d984799 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <kloecker@kde.org> > +Date: Thu, 29 Apr 2021 22:13:38 +0200 > +Subject: [PATCH] Fix CVE-2021-31855 > + > +Deleting an attachment of a decrypted encrypted message stored on a remote server > +(e.g. an IMAP server) causes KMail to upload the decrypted content of the message > +to the remote server. This is not easily noticeable by the user because KMail does > +not display the decrypted content. > +--- > + messageviewer/src/viewer/viewer_p.cpp | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +--- a/messageviewer/src/viewer/viewer_p.cpp > ++++ b/messageviewer/src/viewer/viewer_p.cpp > +@@ -418,7 +418,7 @@ bool ViewerPrivate::deleteAttachment(KMi > + #ifndef QT_NO_TREEVIEW > + mMimePartTree->mimePartModel()->setRoot(modifiedMessage); > + #endif > +- mMessageItem.setPayloadFromData(modifiedMessage->encodedContent()); > ++ mMessageItem.setPayloadFromData(mMessage->encodedContent()); > + Akonadi::ItemModifyJob *job = new Akonadi::ItemModifyJob(mMessageItem, mSession); > + job->disableRevisionCheck(); > + connect(job, &KJob::result, this, &ViewerPrivate::itemModifiedResult); -- Sebastian RamacherAttachment: signature.asc
Description: PGP signature
--- End Message ---