Bug 734126 (CVE-2020-15954)

Summary:	<kde-apps/kmail-account-wizard-20.04.3-r1, <kde-apps/kdepim-runtime-21.08.3-r1: Possible improper TLS handling (CVE-2020-15954)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.kde.org/show_bug.cgi?id=423426
Whiteboard:	B4 [noglsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	731966, 822177
Bug Blocks:	807352

Description John Helmert III archtester

2020-07-27 18:08:09 UTC

From URL:

The setup wizard in kmail defaults to unencrypted connections. When the user clicks on "Check Mail" after the setup, the username and password are sent in the clear. I have not found a way to tell kmail in the manual configuration to use implicit TLS or STARTTLS. 

What is even worse: assuming you know about that and try to configure STARTTLS directly after the setup. In this case it happens that future connections still happen unencrypted, even though the UI tells otherwise. I clicked on "Restart" in the UI several times and also restarted Akonadi and KMail. In this case, I found that POP3 was once even reset back to "Unencrypted". After few more tries it seems to have settled down to use STARTTLS.



Relatively minor issue, but bug appears unfixed.

Comment 1 Larry the Git Cow gentoo-dev

2020-08-01 22:57:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=532434ebeb2f497074e85ce7babad5e12abf2f21

commit 532434ebeb2f497074e85ce7babad5e12abf2f21
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-08-01 15:50:09 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-08-01 22:57:18 +0000

    kde-apps/kmail-account-wizard: Fix CVE-2020-15954
    
    Bug: https://bugs.gentoo.org/734126
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 ...ail-account-wizard-20.04.3-CVE-2020-15954.patch | 81 ++++++++++++++++++++++
 .../kmail-account-wizard-20.04.3-r1.ebuild         | 55 +++++++++++++++
 2 files changed, 136 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b890132492bdf7f2a8de0156c370574a4ab5f13a

commit b890132492bdf7f2a8de0156c370574a4ab5f13a
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-08-01 15:46:33 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-08-01 22:57:17 +0000

    kde-apps/kdepim-runtime: Fix CVE-2020-15954
    
    Bug: https://bugs.gentoo.org/734126
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../kdepim-runtime-20.04.3-CVE-2020-15954.patch    | 28 +++++++
 .../kdepim-runtime-20.04.3-r1.ebuild               | 91 ++++++++++++++++++++++
 2 files changed, 119 insertions(+)

Comment 2 Sam James archtester

2020-08-01 23:41:05 UTC

Thanks. Tell us when ready to stable.

Comment 3 NATTkA bot gentoo-dev

2020-08-02 09:56:56 UTC Comment hidden (obsolete)

Sanity check failed:

> kde-apps/kmail-account-wizard-20.04.3-r1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=kde-apps/akonadi-20.04.3:5
>     >=kde-apps/kidentitymanagement-20.04.3:5
>     >=kde-apps/kldap-20.04.3:5
>     >=kde-apps/kmailtransport-20.04.3:5
>     >=kde-apps/libkdepim-20.04.3:5
>     >=kde-apps/libkleo-20.04.3:5
>     >=kde-apps/pimcommon-20.04.3:5
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=kde-apps/akonadi-20.04.3:5
>     >=kde-apps/kidentitymanagement-20.04.3:5
>     >=kde-apps/kldap-20.04.3:5
>     >=kde-apps/kmailtransport-20.04.3:5
>     >=kde-apps/libkdepim-20.04.3:5
>     >=kde-apps/libkleo-20.04.3:5
>     >=kde-apps/pimcommon-20.04.3:5
> kde-apps/kdepim-runtime-20.04.3-r1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=kde-apps/akonadi-20.04.3:5
>     >=kde-apps/akonadi-calendar-20.04.3:5
>     >=kde-apps/akonadi-contacts-20.04.3:5
>     >=kde-apps/akonadi-mime-20.04.3:5
>     >=kde-apps/akonadi-notes-20.04.3:5
>     >=kde-apps/kalarmcal-20.04.3:5
>     >=kde-apps/kcalutils-20.04.3:5
>     >=kde-apps/kdav-20.04.3:5
>     >=kde-apps/kidentitymanagement-20.04.3:5
>     >=kde-apps/kimap-20.04.3:5
>     >=kde-apps/kimap-20.04.3:5[test]
>     >=kde-apps/kmailtransport-20.04.3:5
>     >=kde-apps/kmbox-20.04.3:5
>     >=kde-apps/kmime-20.04.3:5
>     >=kde-apps/libkgapi-20.04.3:5
>     >=kde-apps/pimcommon-20.04.3:5
>     >=kde-frameworks/kdav-5.70.0:5
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=kde-apps/akonadi-20.04.3:5
>     >=kde-apps/akonadi-calendar-20.04.3:5
>     >=kde-apps/akonadi-contacts-20.04.3:5
>     >=kde-apps/akonadi-mime-20.04.3:5
>     >=kde-apps/akonadi-notes-20.04.3:5
>     >=kde-apps/kalarmcal-20.04.3:5
>     >=kde-apps/kcalutils-20.04.3:5
>     >=kde-apps/kdav-20.04.3:5
>     >=kde-apps/kidentitymanagement-20.04.3:5
>     >=kde-apps/kimap-20.04.3:5
>     >=kde-apps/kmailtransport-20.04.3:5
>     >=kde-apps/kmbox-20.04.3:5
>     >=kde-apps/kmime-20.04.3:5
>     >=kde-apps/libkgapi-20.04.3:5
>     >=kde-apps/pimcommon-20.04.3:5
>     >=kde-frameworks/kdav-5.70.0:5

Comment 4 NATTkA bot gentoo-dev

2020-08-02 10:00:42 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 5 Sam James archtester

2020-08-04 01:40:05 UTC

arm64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-08-05 14:22:36 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-08-06 11:47:50 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 8 Larry the Git Cow gentoo-dev

2020-08-06 15:04:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe9566dbf9ea137ebcf317597dda48f9659ccd18

commit fe9566dbf9ea137ebcf317597dda48f9659ccd18
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-08-05 14:31:09 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-08-06 15:04:36 +0000

    kde-apps/kmail-account-wizard: Drop 20.04.3 (r0)
    
    Bug: https://bugs.gentoo.org/734126
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../kmail-account-wizard-20.04.3.ebuild            | 53 ----------------------
 1 file changed, 53 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75be503641bfc5f16b7a96492229aa145321ca2c

commit 75be503641bfc5f16b7a96492229aa145321ca2c
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-08-05 14:30:48 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-08-06 15:04:36 +0000

    kde-apps/kdepim-runtime: Drop 20.04.3 (r0)
    
    Bug: https://bugs.gentoo.org/734126
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../kdepim-runtime/kdepim-runtime-20.04.3.ebuild   | 89 ----------------------
 1 file changed, 89 deletions(-)

Comment 9 John Helmert III archtester

2020-08-06 19:38:01 UTC

Thanks. Cleanup done.

Comment 10 Sam James archtester

2020-08-08 02:43:27 UTC

GLSA vote: no

Closing.

Comment 11 Andreas Sturmlechner gentoo-dev

2021-11-11 15:17:46 UTC

Reopened upstream. https://bugs.kde.org/show_bug.cgi?id=423426#c8

Comment 12 NATTkA bot gentoo-dev

2021-11-11 15:20:57 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 13 Larry the Git Cow gentoo-dev

2021-11-13 20:01:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c480e1e4a9dff1f0ef70c19ab791ec1a202e9734

commit c480e1e4a9dff1f0ef70c19ab791ec1a202e9734
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-13 17:40:29 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-13 19:50:48 +0000

    kde-apps/kdepim-runtime: Make POP3 setup wizard check encrypt support
    
    Upstream commit 35447bd04e8c12afac524e1c4556ef3db088e014
    
    KDE-bug: https://bugs.kde.org/show_bug.cgi?id=423426
    Bug: https://bugs.gentoo.org/734126
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../kdepim-runtime-21.08.3-CVE-2020-15954.patch    | 110 +++++++++++++++++++++
 .../kdepim-runtime-21.08.3-r1.ebuild               |  90 +++++++++++++++++
 2 files changed, 200 insertions(+)

Comment 14 Andreas Sturmlechner gentoo-dev

2021-11-23 20:21:49 UTC

No further change to kde-apps/kmail-account-wizard necessary in 21.08.3.

Comment 15 Larry the Git Cow gentoo-dev

2021-11-29 13:52:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a799563f477ed02c84d96781931e9e4ff218232

commit 9a799563f477ed02c84d96781931e9e4ff218232
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-28 13:08:31 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-29 13:51:54 +0000

    kde-apps/kdepim-runtime: drop 21.04.3*
    
    Bug: https://bugs.gentoo.org/734126
    Bug: https://bugs.gentoo.org/807355
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/kdepim-runtime/Manifest                   |  1 -
 .../kdepim-runtime/kdepim-runtime-21.04.3.ebuild   | 88 ----------------------
 2 files changed, 89 deletions(-)

Comment 16 Andreas Sturmlechner gentoo-dev

2021-11-29 13:53:33 UTC

cleanup done

Comment 17 John Helmert III archtester

2021-12-01 01:15:24 UTC

Thanks! All done, again.