| Summary: | <mail-client/trojita-0.7-r4: Multiple vulnerabilities (CVE-2019-10734, CVE-2020-15047) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | jkt, qt |
| Priority: | Normal | Flags: | nattka:
sanity-check-
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugs.kde.org/show_bug.cgi?id=423453 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
mail-client/trojita-0.7-r4
|
Runtime testing required: | --- |
| Bug Depends on: | 730058 | ||
| Bug Blocks: | 807352 | ||
|
Description
Agostino Sarubbo
2020-06-25 11:17:55 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=835ed520d32ad8721f0fa83b81432f244a14f187 commit 835ed520d32ad8721f0fa83b81432f244a14f187 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-06-25 12:08:06 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-06-25 12:11:30 +0000 mail-client/trojita: Fix improper certificate validation Bug: https://bugs.gentoo.org/729596 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../files/trojita-0.7-smtp-handle-tls-errors.patch | 82 +++++++++++++++++++++ mail-client/trojita/trojita-0.7-r3.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 165 insertions(+) Stable? Now that it was merged to master, sure. Nobody has stabled this yet, so let's reuse the bug for the imminently-patched CVE-2019-10734. * CVE-2019-10734 Description: "In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH Münster, Germany we discovered a security issue in Trojitá: An attacker who is in possession of PGP or S/MIME encrypted messages can embed them into a multipart message and re-send them to the intended receiver. When the message is read and decrypted by the receiver, the attacker's content is shown. If the victim replies, the plaintext is leaked to an attacker's email address. The root cause for these vulnerabilities lies in the way Trojitá (and many other mail clients) handle partially encrypted multipart messages." See https://bugs.kde.org/show_bug.cgi?id=404697. Thanks to asturm for pointing this out. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a89ecdd740bdd213af85f03950fdcdaeef4a12ec commit a89ecdd740bdd213af85f03950fdcdaeef4a12ec Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-06-28 20:47:13 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-06-28 21:55:22 +0000 mail-client/trojita: Fix CVE-2019-10734 KDE-bug: https://bugs.kde.org/show_bug.cgi?id=404697 Bug: https://bugs.gentoo.org/729596 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../trojita/files/trojita-0.7-CVE-2019-10734.patch | 104 +++++++++++++++++++++ mail-client/trojita/trojita-0.7-r4.ebuild | 84 +++++++++++++++++ 2 files changed, 188 insertions(+) amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dcb5b60c52945652edc27aa1505e0c48760d49 commit 29dcb5b60c52945652edc27aa1505e0c48760d49 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-06-29 17:25:47 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-06-29 17:36:43 +0000 mail-client/trojita: Cleanup vulnerable 0.7-r2 Bug: https://bugs.gentoo.org/729596 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> mail-client/trojita/trojita-0.7-r2.ebuild | 82 ------------------------------- 1 file changed, 82 deletions(-) kde proj is done here, anyway. Unable to check for sanity:
> no match for package: mail-client/trojita-0.7-r4
|
