CVE-2017-9604: Send Later with Delay bypasses OpenPGP

Debian Bug report logs - #864803
CVE-2017-9604: Send Later with Delay bypasses OpenPGP

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2017-9604: Send Later with Delay bypasses OpenPGP

Date: Thu, 15 Jun 2017 07:40:10 +0200

Source: kf5-messagelib
Version: 4:16.04.3-2
Severity: important
Tags: patch upstream security
Control: clone -1 -2
Control: reassign -2 kdepim 4:4.14.1-1

Hi,

the following vulnerability was published for kf5-messagelib (and
kmail).

CVE-2017-9604[0]:
| KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in
| KDE Applications before 17.04.2, do not ensure that a plugin's
| sign/encrypt action occurs during use of the Send Later feature, which
| allows remote attackers to obtain sensitive information by sniffing the
| network.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9604
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9604
[1] https://www.kde.org/info/security/advisory-20170615-1.txt

Looking at the patchset I see it would apply as well to
kdepim/4:4.14.1-1 to some extend. I though have some difficulties to
correctly classify not knowing this Send Later feature. Can you please
double check the above.

Regards,
Salvatore

Message #12 received at 864803@bugs.debian.org (full text, mbox, reply):

From: Sandro Knauß <bugs@sandroknauss.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 864803@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#864803: CVE-2017-9604: Send Later with Delay bypasses OpenPGP

Date: Sat, 17 Jun 2017 09:12:29 +0200

[Message part 1 (text/plain, inline)]

Hey,

I have now have a fixed version for stretch and sid (see debdiff). Because 
Debian is currently in the release process, I'm not sure, how to upload/handle 
the fix for stretch.

Best Regards,

sandro

--
On Donnerstag, 15. Juni 2017 07:40:10 CEST Salvatore Bonaccorso wrote:
> Source: kf5-messagelib
> Version: 4:16.04.3-2
> Severity: important
> Tags: patch upstream security
> Control: clone -1 -2
> Control: reassign -2 kdepim 4:4.14.1-1
> 
> Hi,
> 
> the following vulnerability was published for kf5-messagelib (and
> kmail).
> 
> CVE-2017-9604[0]:
> | KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in
> | KDE Applications before 17.04.2, do not ensure that a plugin's
> | sign/encrypt action occurs during use of the Send Later feature, which
> | allows remote attackers to obtain sensitive information by sniffing the
> | network.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-9604
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9604
> [1] https://www.kde.org/info/security/advisory-20170615-1.txt
> 
> Looking at the patchset I see it would apply as well to
> kdepim/4:4.14.1-1 to some extend. I though have some difficulties to
> correctly classify not knowing this Send Later feature. Can you please
> double check the above.
> 
> Regards,
> Salvatore

[CVE-2017-9604.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 864803-close@bugs.debian.org (full text, mbox, reply):

From: Sandro Knauß <hefee@debian.org>

To: 864803-close@bugs.debian.org

Subject: Bug#864803: fixed in kf5-messagelib 4:16.04.3-3

Date: Sun, 18 Jun 2017 00:14:31 +0000

Source: kf5-messagelib
Source-Version: 4:16.04.3-3

We believe that the bug you reported is fixed in the latest version of
kf5-messagelib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864803@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Knauß <hefee@debian.org> (supplier of updated kf5-messagelib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Jun 2017 09:08:12 +0200
Source: kf5-messagelib
Binary: kf5-messagelib-data libkf5messagecomposer5 libkf5messagecomposer-dev libkf5messagecore5 libkf5messagecore-dev libkf5messagelist5 libkf5messagelist-dev libkf5messageviewer5 libkf5messageviewer-dev libkf5templateparser5 libkf5templateparser-dev
Architecture: source
Version: 4:16.04.3-3
Distribution: unstable
Urgency: high
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Sandro Knauß <hefee@debian.org>
Description:
 kf5-messagelib-data - KDE PIM messaging library, data files
 libkf5messagecomposer-dev - KDE PIM messaging library, composer devel files
 libkf5messagecomposer5 - KDE PIM messaging library, composer library
 libkf5messagecore-dev - KDE PIM messaging library, core devel files
 libkf5messagecore5 - KDE PIM messaging library, core library
 libkf5messagelist-dev - KDE PIM messaging library, message list devel files
 libkf5messagelist5 - KDE PIM messaging library, message list library
 libkf5messageviewer-dev - KDE PIM messaging library, message viewer devel files
 libkf5messageviewer5 - KDE PIM messaging library, message viewer library
 libkf5templateparser-dev - KDE PIM messaging library, template parser devel files
 libkf5templateparser5 - KMail template parser library
Closes: 864803
Changes:
 kf5-messagelib (4:16.04.3-3) unstable; urgency=high
 .
   * Team upload.
 .
   [ Sandro Knauß ]
   * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803)
     - Added upstream patch fix-CVE-2017-9604.patch
Checksums-Sha1:
 455fd95342bff936f66d64a30c4044003af4eca2 4286 kf5-messagelib_16.04.3-3.dsc
 5ea0a027b6ac479df6dbccf46abe0d7f71a8210f 44336 kf5-messagelib_16.04.3-3.debian.tar.xz
 d2715f2824fcedd766d478c4f5b9f8a0c166eaa8 21676 kf5-messagelib_16.04.3-3_source.buildinfo
Checksums-Sha256:
 eba13fed12e19a47a1effd77852e26194b7659c3ba0042f7a9d4568068babde2 4286 kf5-messagelib_16.04.3-3.dsc
 0618bfb318b013ffebbe6256d865576c4edcfa530c85eb05627e94f1f26f896c 44336 kf5-messagelib_16.04.3-3.debian.tar.xz
 74a105243055d92513000e7f4d39af0ed83d4ca03a1b2eb1dcb4da34dfb84fa7 21676 kf5-messagelib_16.04.3-3_source.buildinfo
Files:
 8892077949c5e6c97606e65b687194d4 4286 libs optional kf5-messagelib_16.04.3-3.dsc
 1860a69da4666f28fc0947f38ebdb6c2 44336 libs optional kf5-messagelib_16.04.3-3.debian.tar.xz
 13e5b3152e4dc0c7aec0fbff375cee15 21676 libs optional kf5-messagelib_16.04.3-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAllE1/URHGhlZmVlQGRl
Ymlhbi5vcmcACgkQ462wCFBgVjaO6w/+Mt3cZCt8CCnn9ZrGmUhL6fRsPnhXBa5f
xDxtf7nEe/FkBVyR4nRpVuyOr/6vVmlQmfls9rJMWpD0CBaxJbTfncZJoIjXp+nE
pbt31qQN/hlZ3ul3Q/WFKotApX5eJ/crbqjXkF490Ri0zLlHz8O67ScaQwEOHQ36
pkqrIq3ExYJzpvujP/fMfeDr5JQrXid2DJ7VlGar0iRtcdzef/c+0UPPpE1pC0yF
GQm02XtRk8A4UBwOVQ6KGBDUd5np6FX1gLh47S/E0+NYpp0seAzMPfp91C69wSJs
Aoi67EC3c9CD6b9Q1OrkHiF8pmkhAuB9nANTqJ098MjPfmflhjSui6+lvUqjWFa6
F9e2NfrWXTlWIaMWS5Mj0j57L6SwUt2yVqin9Q/tG9aRO3IyPEBEPk/xuxV2dB3U
kuWgxsnR6RUj1zPgR+cjk0Eeq/FqB6R53cjlrdStOFpnYyLCvQ7COkatumpY2YAE
KFFzgABTfZ7s/6JiWPXrFR1wSgF8RAAeRr/2Fls1l27VNdmFvIzoT97UrtW0vnFP
KXqurWx/TMBsmT+wfIruHYlrNK992TUJKo7WiOErIYgu1ZFIZDkrTeJ6J54KVaK/
DBxekc5NcoKyF1VibQ++T1MXBhBVND4b2EOND3wSw2QgekUeAzstidCWoFjhbTQc
fv8/Hd4ANuM=
=sAv0
-----END PGP SIGNATURE-----

Message #22 received at 864803@bugs.debian.org (full text, mbox, reply):

From: Sandro Knauß <hefee@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 864803@bugs.debian.org, Debian Security Team <team@security.debian.org>, pkg-kde-talk@lists.alioth.debian.org

Subject: Re: Bug#864803: CVE-2017-9604: Send Later with Delay bypasses OpenPGP

Date: Tue, 20 Jun 2017 13:08:08 +0200

[Message part 1 (text/plain, inline)]

Hey,

I'm AFK from tomorrow one for at least one week, so I can't upload the 
packages in that time. I will not be the reason, why a security issue is 
longer than needed open. So use my debdiff as a "good" start to get this 
security issue fixed in stretch and jessie :) I think it will only changes of 
the concrete version number. I don't care in the end you is uploading the fixes 
:)

Best Regards,

sandro

--
On Samstag, 17. Juni 2017 09:12:29 CEST Sandro Knauß wrote:
> Hey,
> 
> I have now have a fixed version for stretch and sid (see debdiff). Because
> Debian is currently in the release process, I'm not sure, how to
> upload/handle the fix for stretch.
> 
> Best Regards,
> 
> sandro

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.