Bug#1106867: bookworm-pu: kmail-account-wizard/22.12.3-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for kmail-account-wizard fixes CVE-2024-50624 in
Bookworm. According to my tests everything works as intended.
This CVE has been marked as no-dsa by the security team.
Thorsten
diff -Nru kmail-account-wizard-22.12.3/debian/changelog kmail-account-wizard-22.12.3/debian/changelog
--- kmail-account-wizard-22.12.3/debian/changelog 2023-03-01 21:33:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/changelog 2025-05-27 10:03:02.000000000 +0200
@@ -1,3 +1,16 @@
+kmail-account-wizard (4:22.12.3-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-50624
+ fix man-in-the-middle-attack when using autoconf for retrieving
+ configuration
+ * for configuration with autoconf.example.com, the config is fetched
+ via https and the former http as fallback.
+ for configuration via example.com/.well-known/autoconfig the
+ config is now fetched only with https
+
+ -- Thorsten Alteholz <debian@alteholz.de> Tue, 27 May 2025 10:03:02 +0200
+
kmail-account-wizard (4:22.12.3-1) unstable; urgency=medium
[ Patrick Franz ]
diff -Nru kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch
--- kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch 1970-01-01 01:00:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch 2025-05-27 10:03:02.000000000 +0200
@@ -0,0 +1,68 @@
+commit 9784f5ab41c3aff435d4a88afb25585180a62ee4
+Author: Laurent Montel <montel@kde.org>
+Date: Mon Jun 3 13:42:29 2024 +0200
+
+ Fix bug 487882: plaintext HTTP request in kmail-account-wizard
+
+ BUG: 487882
+ FIXED-IN: 6.2.0
+
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.cpp 2025-05-27 11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp 2025-05-27 12:57:09.463399061 +0200
+@@ -64,11 +64,14 @@
+ QUrl url;
+ const QString path = type + QStringLiteral("/config-v") + version + QStringLiteral(".xml");
+ switch (mServerType) {
++ case IspHttpsAutoConfig:
++ url = QUrl(QStringLiteral("https://autoconfig.";) + mAddr.domain.toLower() + QLatin1Char('/') + path);
++ break;
+ case IspAutoConfig:
+ url = QUrl(QStringLiteral("http://autoconfig.";) + mAddr.domain.toLower() + QLatin1Char('/') + path);
+ break;
+ case IspWellKnow:
+- url = QUrl(QStringLiteral("http://";) + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path);
++ url = QUrl(QStringLiteral("https://";) + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path);
+ break;
+ case DataBase:
+ url = QUrl(QStringLiteral("https://autoconfig.thunderbird.net/v1.1/";) + mAddr.domain.toLower());
+@@ -93,16 +96,9 @@
+ qCDebug(ACCOUNTWIZARD_LOG) << "Fetching failed" << job->errorString();
+ bool lookupFinished = false;
+
+- switch (mServerType) {
+- case IspAutoConfig:
+- mServerType = IspWellKnow;
+- break;
+- case IspWellKnow:
+- lookupFinished = true;
+- break;
+- case DataBase:
+- mServerType = IspAutoConfig;
+- break;
++ if (mServerType != Ispdb::searchServerType::Last) {
++ int index = static_cast<int>(mServerType);
++ mServerType= static_cast<Ispdb::searchServerType>(++index);
+ }
+
+ if (lookupFinished) {
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.h
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.h 2025-05-27 11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.h 2025-05-27 11:10:40.171001261 +0200
+@@ -95,9 +95,11 @@
+ @see lookupUrl to generate a url base on this type
+ */
+ enum searchServerType {
+- IspAutoConfig = 0, /**< http://autoconfig.example.com/mail/config-v1.1.xml */
+- IspWellKnow, /**< http://example.com/.well-known/autoconfig/mail/config-v1.1.xml */
+- DataBase /**< https://autoconfig.thunderbird.net/v1.1/example.com */
++ DataBase = 0, ///< https://autoconfig.thunderbird.net/v1.1/example.com */
++ IspHttpsAutoConfig = 1, ///< https://autoconfig.example.com/mail/config-v1.1.xml
++ IspAutoConfig = 2, ///< http://autoconfig.example.com/mail/config-v1.1.xml
++ IspWellKnow = 3, ///< https://example.com/.well-known/autoconfig/mail/config-v1.1.xml
++ Last = IspWellKnow
+ };
+
+ /** let's request the autoconfig server */
diff -Nru kmail-account-wizard-22.12.3/debian/patches/series kmail-account-wizard-22.12.3/debian/patches/series
--- kmail-account-wizard-22.12.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/patches/series 2025-05-27 10:03:02.000000000 +0200
@@ -0,0 +1 @@
+CVE-2024-50624.patch
Reply to: