Debian Bug report logs -
#926996
kmail: CVE-2019-10732: decryption based on replying to PGP or S/MIME encrypted emails
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#926996
; Package src:kmail
.
(Sat, 13 Apr 2019 08:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Sat, 13 Apr 2019 08:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: kmail
Version: 4:18.08.3-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.kde.org/show_bug.cgi?id=404698
Hi,
The following vulnerability was published for kmail. It was reported
upstream at [1] but at point of writing the bugreport there is not
much information available (or fix).
CVE-2019-10732[0]:
| In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP
| encrypted emails can wrap them as sub-parts within a crafted multipart
| email. The encrypted part(s) can further be hidden using HTML/CSS or
| ASCII newline characters. This modified multipart email can be re-sent
| by the attacker to the intended receiver. If the receiver replies to
| this (benign looking) email, they unknowingly leak the plaintext of
| the encrypted message part(s) back to the attacker.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10732
[1] https://bugs.kde.org/show_bug.cgi?id=404698
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Mon, 13 May 2019 19:27:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#926996
; Package src:kmail
.
(Mon, 13 May 2019 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Mon, 13 May 2019 19:45:03 GMT) (full text, mbox, link).
Message #12 received at 926996@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + fixed-upstream
On Sat, Apr 13, 2019 at 10:31:53AM +0200, Salvatore Bonaccorso wrote:
> Source: kmail
> Version: 4:18.08.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://bugs.kde.org/show_bug.cgi?id=404698
Discussion on https://bugs.kde.org/show_bug.cgi?id=404698 seems to
indicate the issue is getting resolved upstream.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#926996
; Package src:kmail
.
(Mon, 13 May 2019 21:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sandro Knauß <hefee@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Mon, 13 May 2019 21:48:05 GMT) (full text, mbox, link).
Message #17 received at 926996@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: reassign -1 kf5-messagelib
The code lies in kf5-messagelib, that's why I reassign the bug. Please update
the security tracker accordingly.
> Discussion on https://bugs.kde.org/show_bug.cgi?id=404698 seems to
> indicate the issue is getting resolved upstream.
Yes I fixed the bug upstream and will hopefully find time the next days to
backport it to 18.08.
hefee
[signature.asc (application/pgp-signature, inline)]
Bug reassigned from package 'src:kmail' to 'kf5-messagelib'.
Request was from Sandro Knauß <hefee@debian.org>
to 926996-submit@bugs.debian.org
.
(Mon, 13 May 2019 21:48:05 GMT) (full text, mbox, link).
No longer marked as found in versions kmail/4:18.08.3-1.
Request was from Sandro Knauß <hefee@debian.org>
to 926996-submit@bugs.debian.org
.
(Mon, 13 May 2019 21:48:05 GMT) (full text, mbox, link).
Marked as found in versions 4:18.08.3-2.
Request was from Sandro Knauß <hefee@debian.org>
to control@bugs.debian.org
.
(Mon, 13 May 2019 22:06:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:05:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.