Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683034 (CVE-2019-10732) - <kde-apps/kmail-19.04.2: decryption based on replying to PGP or S/MIME encrypted emails
Summary: <kde-apps/kmail-19.04.2: decryption based on replying to PGP or S/MIME encryp...
Status: RESOLVED FIXED
Alias: CVE-2019-10732
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.kde.org/show_bug.cgi?id=...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: kde-apps-19.04.3
Blocks:
  Show dependency tree
 
Reported: 2019-04-10 15:19 UTC by Agostino Sarubbo
Modified: 2019-08-15 21:05 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-04-10 15:19:08 UTC
From ${URL} :

In KDE KMail 5.10.3, an attacker in possession of S/MIME or PGP encrypted emails
can wrap them as sub-parts within a crafted multipart email. The encrypted
part(s) can further be hidden using HTML/CSS or ASCII newline characters. This
modified multipart email can be re-sent by the attacker to the intended
receiver. If the receiver replies to this (benign looking) email, they
unknowingly leak the plaintext of the encrypted message part(s) back to the
attacker.

Reference:
https://bugs.kde.org/show_bug.cgi?id=404698


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas Sturmlechner gentoo-dev 2019-07-28 08:01:55 UTC
19.04.3 was stabilised, cleanup done in 420336464e757748fd3f7b63bdb565f3529b203c
Comment 2 Andreas Sturmlechner gentoo-dev 2019-07-29 18:46:26 UTC
KDE team is done here, anyway.