[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106867: marked as done (bookworm-pu: kmail-account-wizard/22.12.3-1+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1106867,
regarding bookworm-pu: kmail-account-wizard/22.12.3-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106867
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for kmail-account-wizard fixes CVE-2024-50624 in Bookworm. According to my tests everything works as intended. 

This CVE has been marked as no-dsa by the security team.

  Thorsten
diff -Nru kmail-account-wizard-22.12.3/debian/changelog kmail-account-wizard-22.12.3/debian/changelog
--- kmail-account-wizard-22.12.3/debian/changelog	2023-03-01 21:33:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/changelog	2025-05-27 10:03:02.000000000 +0200
@@ -1,3 +1,16 @@
+kmail-account-wizard (4:22.12.3-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2024-50624
+    fix man-in-the-middle-attack when using autoconf for retrieving
+    configuration
+  * for configuration with autoconf.example.com, the config is fetched
+    via https and the former http as fallback.
+    for configuration via example.com/.well-known/autoconfig the
+    config is now fetched only with https
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Tue, 27 May 2025 10:03:02 +0200
+
 kmail-account-wizard (4:22.12.3-1) unstable; urgency=medium
 
   [ Patrick Franz ]
diff -Nru kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch
--- kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch	1970-01-01 01:00:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch	2025-05-27 10:03:02.000000000 +0200
@@ -0,0 +1,68 @@
+commit 9784f5ab41c3aff435d4a88afb25585180a62ee4
+Author: Laurent Montel <montel@kde.org>
+Date:   Mon Jun 3 13:42:29 2024 +0200
+
+    Fix bug 487882: plaintext HTTP request in kmail-account-wizard
+    
+    BUG: 487882
+    FIXED-IN: 6.2.0
+
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.cpp	2025-05-27 11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp	2025-05-27 12:57:09.463399061 +0200
+@@ -64,11 +64,14 @@
+     QUrl url;
+     const QString path = type + QStringLiteral("/config-v") + version + QStringLiteral(".xml");
+     switch (mServerType) {
++    case IspHttpsAutoConfig:
++        url = QUrl(QStringLiteral("https://autoconfig.";) + mAddr.domain.toLower() + QLatin1Char('/') + path);
++        break;
+     case IspAutoConfig:
+         url = QUrl(QStringLiteral("http://autoconfig.";) + mAddr.domain.toLower() + QLatin1Char('/') + path);
+         break;
+     case IspWellKnow:
+-        url = QUrl(QStringLiteral("http://";) + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path);
++        url = QUrl(QStringLiteral("https://";) + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path);
+         break;
+     case DataBase:
+         url = QUrl(QStringLiteral("https://autoconfig.thunderbird.net/v1.1/";) + mAddr.domain.toLower());
+@@ -93,16 +96,9 @@
+         qCDebug(ACCOUNTWIZARD_LOG) << "Fetching failed" << job->errorString();
+         bool lookupFinished = false;
+ 
+-        switch (mServerType) {
+-        case IspAutoConfig:
+-            mServerType = IspWellKnow;
+-            break;
+-        case IspWellKnow:
+-            lookupFinished = true;
+-            break;
+-        case DataBase:
+-            mServerType = IspAutoConfig;
+-            break;
++        if (mServerType != Ispdb::searchServerType::Last) {
++            int index = static_cast<int>(mServerType);
++            mServerType= static_cast<Ispdb::searchServerType>(++index);
+         }
+ 
+         if (lookupFinished) {
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.h
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.h	2025-05-27 11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.h	2025-05-27 11:10:40.171001261 +0200
+@@ -95,9 +95,11 @@
+         @see lookupUrl to generate a url base on this type
+      */
+     enum searchServerType {
+-        IspAutoConfig = 0, /**< http://autoconfig.example.com/mail/config-v1.1.xml */
+-        IspWellKnow, /**< http://example.com/.well-known/autoconfig/mail/config-v1.1.xml */
+-        DataBase /**< https://autoconfig.thunderbird.net/v1.1/example.com */
++        DataBase = 0, ///< https://autoconfig.thunderbird.net/v1.1/example.com */
++        IspHttpsAutoConfig = 1, ///< https://autoconfig.example.com/mail/config-v1.1.xml
++        IspAutoConfig = 2, ///< http://autoconfig.example.com/mail/config-v1.1.xml
++        IspWellKnow = 3, ///< https://example.com/.well-known/autoconfig/mail/config-v1.1.xml
++        Last = IspWellKnow
+     };
+ 
+     /** let's request the autoconfig server */
diff -Nru kmail-account-wizard-22.12.3/debian/patches/series kmail-account-wizard-22.12.3/debian/patches/series
--- kmail-account-wizard-22.12.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/patches/series	2025-05-27 10:03:02.000000000 +0200
@@ -0,0 +1 @@
+CVE-2024-50624.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: