Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 807355 (CVE-2021-38373)

Summary: <kde-apps/kdepim-runtime-21.08.3, <kde-apps/kimap-21.08.3-r1, <kde-apps/ksmtp-21.08.3-r1, <kde-apps/kmailtransport-21.08.3-r2: STARTTLS preference not respected (CVE-2021-38373)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor Keywords: PullRequest
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://kde.org/info/security/advisory-20211118-1.txt
See Also: https://invent.kde.org/pim/ksmtp/-/merge_requests/5
https://invent.kde.org/pim/kmailtransport/-/merge_requests/9
https://invent.kde.org/pim/ksmtp/-/merge_requests/6
https://invent.kde.org/pim/ksmtp/-/merge_requests/7
https://invent.kde.org/pim/ksmtp/-/merge_requests/8
https://bugs.kde.org/show_bug.cgi?id=423424
https://invent.kde.org/pim/kimap/-/merge_requests/10
https://github.com/gentoo/gentoo/pull/23051
https://bugs.kde.org/show_bug.cgi?id=423423
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 822177    
Bug Blocks: 807352    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-10 01:40:39 UTC
See https://bugs.kde.org/show_bug.cgi?id=423423.
Comment 1 Andreas Sturmlechner gentoo-dev 2021-11-23 15:50:05 UTC
Packages to receive fixes for this bug:
kde-apps/kimap
kde-apps/ksmtp
kde-apps/kmailtransport (as a follow-up to ksmtp API change)

Fixes already part of 21.08.3:
https://invent.kde.org/pim/kdepim-runtime/-/commit/edb7f6fdea2c9f44085a042531f56223f3fd8a2f
https://invent.kde.org/pim/kimap/-/commit/7ee24189
https://invent.kde.org/pim/ksmtp/-/commit/fca378d5
Comment 2 Larry the Git Cow gentoo-dev 2021-11-23 20:13:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a787119b1333e52653d3c394fcb0b56cbfd4d0ff

commit a787119b1333e52653d3c394fcb0b56cbfd4d0ff
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-23 15:55:49 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-23 20:04:52 +0000

    kde-apps/kimap: Fix CVE-2021-38373
    
    Upstream commit 5aed4138567934c3be20cddb60fe6d7d4a10da0f
    
    KDE-bug: https://bugs.kde.org/show_bug.cgi?id=423424
    Bug: https://bugs.gentoo.org/807355
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../kimap/files/kimap-21.08.3-CVE-2021-38373.patch | 51 ++++++++++++++++++++++
 kde-apps/kimap/kimap-21.08.3-r1.ebuild             | 42 ++++++++++++++++++
 2 files changed, 93 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4754456d4c60b3dc562a7d32de2ff6bf66ab6679

commit 4754456d4c60b3dc562a7d32de2ff6bf66ab6679
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-23 15:21:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-23 20:04:51 +0000

    kde-apps/kmailtransport: Adapt to kde-apps/ksmtp CVE-2021-38373 fix
    
    Upstream commit cc4907eba8e16c319fb837b5ec85393b118c4ab6
    
    KDE-bug: https://bugs.kde.org/show_bug.cgi?id=423423
    Bug: https://bugs.gentoo.org/807355
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../kmailtransport-21.08.3-CVE-2021-38373.patch    | 63 ++++++++++++++++++++++
 .../kmailtransport-21.08.3-r2.ebuild               | 49 +++++++++++++++++
 2 files changed, 112 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d93c611084e91b9212952534ec6ed3ae6cdf53e1

commit d93c611084e91b9212952534ec6ed3ae6cdf53e1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-23 15:17:22 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-23 20:04:47 +0000

    kde-apps/ksmtp: Fix CVE-2021-38373
    
    Upstream commits:
    8168bc77ec9c61734dd28085f30f3039b1af6bff
    90378276fc79f913762ddb969e6df51603c509bd
    fa16acff6fc3e9b99e435c78196936f90e883521
    f49c27f108362046ef44f3a9183992a42b580fda
    10154ca7362ac26f2bd1f2f66dce6e3b3f065125
    3bf173a4d766fbd6897ec0af840fda58b179a324
    c1a9a152682e7c1215580fedc2bf6f548319d349
    5136cde5f70ef16cf71df234c2184f58573dff94
    02acc7b857ddbcebe0b5ac67effecf25499b2b83
    
    KDE-bug: https://bugs.kde.org/show_bug.cgi?id=423423
    KDE-bug: https://bugs.kde.org/show_bug.cgi?id=423424
    Bug: https://bugs.gentoo.org/807355
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/ksmtp/Manifest                |  1 +
 kde-apps/ksmtp/ksmtp-21.08.3-r1.ebuild | 31 +++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2021-11-23 20:16:52 UTC
Fixes pushed. But still no definitive answer that those are enough yet.
Comment 4 Andreas Sturmlechner gentoo-dev 2021-11-24 12:43:16 UTC
Consider this fixed with the listed versions in $summary.
Comment 5 Andreas Sturmlechner gentoo-dev 2021-11-24 12:45:17 UTC
Also fixed by this round of patches:

https://kde.org/info/security/advisory-20211118-2.txt

Title:          KMail: Endless loop, if the TLS certificate marked as bad
Risk Rating:    Low
Versions:       KMail, ksmtp < 5.18.1, kimap < 5.19.0, kdepim-runtime < 5.18.1
Comment 6 Larry the Git Cow gentoo-dev 2021-11-29 13:52:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02ea47563e80038414d1361c55a8ea5d98dca4ad

commit 02ea47563e80038414d1361c55a8ea5d98dca4ad
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-28 13:08:45 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-29 13:51:58 +0000

    kde-apps/ksmtp: drop 21.04.3*
    
    Bug: https://bugs.gentoo.org/807355
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/ksmtp/Manifest             |  1 -
 kde-apps/ksmtp/ksmtp-21.04.3.ebuild | 28 ----------------------------
 2 files changed, 29 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02effce0adae5b71a81f742448d222749048cfc4

commit 02effce0adae5b71a81f742448d222749048cfc4
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-28 13:08:38 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-29 13:51:56 +0000

    kde-apps/kmailtransport: drop 21.04.3*
    
    Bug: https://bugs.gentoo.org/807355
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/kmailtransport/Manifest                   |  1 -
 .../kmailtransport/kmailtransport-21.04.3.ebuild   | 49 ----------------------
 2 files changed, 50 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=928621e78d1499b6f526bffd5ab565efff04311f

commit 928621e78d1499b6f526bffd5ab565efff04311f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-28 13:08:33 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-29 13:51:55 +0000

    kde-apps/kimap: drop 21.04.3*
    
    Bug: https://bugs.gentoo.org/807355
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/kimap/Manifest             |  1 -
 kde-apps/kimap/kimap-21.04.3.ebuild | 40 -------------------------------------
 2 files changed, 41 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a799563f477ed02c84d96781931e9e4ff218232

commit 9a799563f477ed02c84d96781931e9e4ff218232
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-28 13:08:31 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-29 13:51:54 +0000

    kde-apps/kdepim-runtime: drop 21.04.3*
    
    Bug: https://bugs.gentoo.org/734126
    Bug: https://bugs.gentoo.org/807355
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/kdepim-runtime/Manifest                   |  1 -
 .../kdepim-runtime/kdepim-runtime-21.04.3.ebuild   | 88 ----------------------
 2 files changed, 89 deletions(-)
Comment 7 Andreas Sturmlechner gentoo-dev 2021-11-29 13:53:48 UTC
cleanup done, kde proj out