kmail: CVE-2019-10732: decryption based on replying to PGP or S/MIME encrypted emails

Debian Bug report logs - #926996
kmail: CVE-2019-10732: decryption based on replying to PGP or S/MIME encrypted emails

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: kmail: CVE-2019-10732: decryption based on replying to PGP or S/MIME encrypted emails

Date: Sat, 13 Apr 2019 10:31:53 +0200

Source: kmail
Version: 4:18.08.3-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.kde.org/show_bug.cgi?id=404698

Hi,

The following vulnerability was published for kmail. It was reported
upstream at [1] but at point of writing the bugreport there is not
much information available (or fix).

CVE-2019-10732[0]:
| In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP
| encrypted emails can wrap them as sub-parts within a crafted multipart
| email. The encrypted part(s) can further be hidden using HTML/CSS or
| ASCII newline characters. This modified multipart email can be re-sent
| by the attacker to the intended receiver. If the receiver replies to
| this (benign looking) email, they unknowingly leak the plaintext of
| the encrypted message part(s) back to the attacker.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10732
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10732
[1] https://bugs.kde.org/show_bug.cgi?id=404698

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 926996@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 926996@bugs.debian.org

Subject: Re: Bug#926996: kmail: CVE-2019-10732: decryption based on replying to PGP or S/MIME encrypted emails

Date: Mon, 13 May 2019 21:42:21 +0200

Control: tags -1 + fixed-upstream

On Sat, Apr 13, 2019 at 10:31:53AM +0200, Salvatore Bonaccorso wrote:
> Source: kmail
> Version: 4:18.08.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://bugs.kde.org/show_bug.cgi?id=404698

Discussion on https://bugs.kde.org/show_bug.cgi?id=404698 seems to
indicate the issue is getting resolved upstream.

Regards,
Salvatore

Message #17 received at 926996@bugs.debian.org (full text, mbox, reply):

From: Sandro Knauß <hefee@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 926996@bugs.debian.org, security@kde.org

Subject: Re: Bug#926996: kmail: CVE-2019-10732: decryption based on replying to PGP or S/MIME encrypted emails

Date: Mon, 13 May 2019 23:43:30 +0200

[Message part 1 (text/plain, inline)]

Control: reassign -1 kf5-messagelib

The code lies in kf5-messagelib, that's why I reassign the bug. Please update 
the security tracker accordingly.

> Discussion on https://bugs.kde.org/show_bug.cgi?id=404698 seems to
> indicate the issue is getting resolved upstream.

Yes I fixed the bug upstream and will hopefully find time the next days to 
backport it to 18.08.

hefee

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.