Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621828 (CVE-2017-9604) - <kde-apps/kmail-17.04.2 - <kde-apps/messagelib-17.04.2 - <kde-apps/kdepim-common-libs-4.14.11_pre20160611: send later feature doesn't have "sign/encryption" action ensured (CVE-2017-9604)
Summary: <kde-apps/kmail-17.04.2 - <kde-apps/messagelib-17.04.2 - <kde-apps/kdepim-com...
Status: RESOLVED FIXED
Alias: CVE-2017-9604
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://bugzilla.suse.com/show_bug.cg...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-15 11:42 UTC by Andreas Sturmlechner
Modified: 2017-07-11 01:32 UTC (History)
0 users

See Also:
Package list:
kde-apps/kmail-4.14.11_pre20160611-r1 kde-apps/kdepim-common-libs-4.14.11_pre20160611-r1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2017-06-15 11:42:32 UTC 
Quoting SUSE:

"KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE
Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action
occurs during use of the Send Later feature, which allows remote attackers to
obtain sensitive information by sniffing the network."

Reproducible: Always




* =4.4.2017.04 from pre-akonadi era does not have the feature, no action required
* kde-apps/{kmail,kdepim-common-libs}-4.14.11_pre20160611 need backport bumps
* <17.04.2:5 versions are already gone from tree, nothing to do here
Comment 1 Andreas Sturmlechner gentoo-dev 2017-06-15 11:53:01 UTC 
Revbumped kdepim-common-libs and kmail in git commits 380abc6b5465ed4c9f4233a26e47fd120fc57e1d and 9d80a4784aa48c29ad39ed1c39ab0ed45b8867ea respectively.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-06-15 19:13:31 UTC 
CVE-2017-9604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9604):
  KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE
  Applications before 17.04.2, do not ensure that a plugin's sign/encrypt
  action occurs during use of the Send Later feature, which allows remote
  attackers to obtain sensitive information by sniffing the network.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-15 19:20:47 UTC 
@ Maintainer(s): Thank you for the bump. At least kde-apps/kmail and kde-apps/kdepim-common-libs package needs stabilization. Can we already stabilize or do you want to wait a few days?
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-16 14:58:21 UTC 
https://ctrl.blog/entry/kmail-cve-2017-9604-openpgp
Comment 5 Stabilization helper bot gentoo-dev 2017-06-16 15:04:23 UTC 
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): 

> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=kde-apps/akonadi-17.04.2:5', '>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qttest-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=kde-apps/akonadi-17.04.2:5', '>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=kde-apps/akonadi-17.04.2:5', '>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qttest-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
Comment 6 Stabilization helper bot gentoo-dev 2017-06-16 16:01:06 UTC 
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): 

> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qttest-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
> dependency.bad kde-apps/messagelib/messagelib-17.04.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=kde-apps/akonadi-contacts-17.04.2:5', '>=kde-apps/akonadi-mime-17.04.2:5', '>=kde-apps/grantleetheme-17.04.2:5', '>=kde-apps/incidenceeditor-17.04.2:5', '>=kde-apps/kcalcore-17.04.2:5', '>=kde-apps/kcontacts-17.04.2:5', '>=kde-apps/kdepim-apps-libs-17.04.2:5', '>=kde-apps/kidentitymanagement-17.04.2:5', '>=kde-apps/kldap-17.04.2:5', '>=kde-apps/kmailtransport-17.04.2:5', '>=kde-apps/kmbox-17.04.2:5', '>=kde-apps/kmime-17.04.2:5', '>=kde-apps/kpimtextedit-17.04.2:5', '>=kde-apps/libgravatar-17.04.2:5', '>=kde-apps/libkdepim-17.04.2:5', '>=kde-apps/libkleo-17.04.2:5', '>=dev-qt/qtgui-5.7.0:5=', '>=dev-qt/qtnetwork-5.7.0:5', '>=dev-qt/qtprintsupport-5.7.0:5', '>=dev-qt/qtwebengine-5.7.0:5[widgets]', '>=dev-qt/qtwidgets-5.7.0:5', '>=dev-qt/qttest-5.7.0:5', '>=dev-qt/qtcore-5.7.0:5']
Comment 7 Andreas Sturmlechner gentoo-dev 2017-06-16 16:04:04 UTC 
For slot 5 there is nothing to do.
Comment 8 Stabilization helper bot gentoo-dev 2017-06-16 17:00:50 UTC 
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-17 15:37:20 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-17 17:26:50 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Andreas Sturmlechner gentoo-dev 2017-06-17 18:46:21 UTC 
Thanks for stabilising, -r0 dropped in 7835e83f7e68737719358115797a191920cc6f10 and d6d2e7120749e02f93ddd78662c52554b01c04f2, KDE team done.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-07-11 01:32:36 UTC 
GLSA Vote: No