| Summary: | <kde-apps/kmail-17.04.2 - <kde-apps/messagelib-17.04.2 - <kde-apps/kdepim-common-libs-4.14.11_pre20160611: send later feature doesn't have "sign/encryption" action ensured (CVE-2017-9604) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Andreas Sturmlechner <asturm> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | Flags: | stable-bot:
sanity-check+
|
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.suse.com/show_bug.cgi?id=1044210 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
kde-apps/kmail-4.14.11_pre20160611-r1
kde-apps/kdepim-common-libs-4.14.11_pre20160611-r1
|
Runtime testing required: | --- |
Revbumped kdepim-common-libs and kmail in git commits 380abc6b5465ed4c9f4233a26e47fd120fc57e1d and 9d80a4784aa48c29ad39ed1c39ab0ed45b8867ea respectively. CVE-2017-9604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9604): KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network. @ Maintainer(s): Thank you for the bump. At least kde-apps/kmail and kde-apps/kdepim-common-libs package needs stabilization. Can we already stabilize or do you want to wait a few days? An automated check of this bug failed - repoman reported dependency errors (41 lines truncated):
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=kde-apps/akonadi-17.04.2:5', '>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qttest-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=kde-apps/akonadi-17.04.2:5', '>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=kde-apps/akonadi-17.04.2:5', '>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qttest-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated):
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qttest-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qttest-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
For slot 5 there is nothing to do. An automated check of this bug succeeded - the previous repoman errors are now resolved. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Thanks for stabilising, -r0 dropped in 7835e83f7e68737719358115797a191920cc6f10 and d6d2e7120749e02f93ddd78662c52554b01c04f2, KDE team done. GLSA Vote: No |
Quoting SUSE: "KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network." Reproducible: Always * =4.4.2017.04 from pre-akonadi era does not have the feature, no action required * kde-apps/{kmail,kdepim-common-libs}-4.14.11_pre20160611 need backport bumps * <17.04.2:5 versions are already gone from tree, nothing to do here