Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package messagelib for openSUSE:Factory checked in at 2021-05-05 20:39:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/messagelib (Old) and /work/SRC/openSUSE:Factory/.messagelib.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "messagelib" Wed May 5 20:39:04 2021 rev:71 rq:889713 version:21.04.0 Changes: -------- --- /work/SRC/openSUSE:Factory/messagelib/messagelib.changes 2021-04-24 23:09:12.427399380 +0200 +++ /work/SRC/openSUSE:Factory/.messagelib.new.2988/messagelib.changes 2021-05-05 20:39:05.327151137 +0200 @@ -1,0 +2,7 @@ +Fri Apr 30 07:09:07 UTC 2021 - Christophe Giboudeaux <[email protected]> + +- Add upstream change to fix a misbehaviour when deleting + attachments from encrypted messages: + * 0001-Fix-CVE-2021-31855.patch (CVE-2021-31855) + +------------------------------------------------------------------- New: ---- 0001-Fix-CVE-2021-31855.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ messagelib.spec ++++++ --- /var/tmp/diff_new_pack.7EInL9/_old 2021-05-05 20:39:05.943148493 +0200 +++ /var/tmp/diff_new_pack.7EInL9/_new 2021-05-05 20:39:05.947148476 +0200 @@ -32,6 +32,8 @@ Source1: https://download.kde.org/stable/release-service/%{version}/src/%{name}-%{version}.tar.xz.sig Source2: applications.keyring %endif +# PATCH-FIX-UPSTREAM +Patch0: 0001-Fix-CVE-2021-31855.patch BuildRequires: extra-cmake-modules BuildRequires: kf5-filesystem BuildRequires: libQt5Sql-private-headers-devel ++++++ 0001-Fix-CVE-2021-31855.patch ++++++ >From 3b5b171e91ce78b966c98b1292a1bcbc8d984799 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <[email protected]> Date: Thu, 29 Apr 2021 22:13:38 +0200 Subject: [PATCH] Fix CVE-2021-31855 Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g. an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. This is not easily noticeable by the user because KMail does not display the decrypted content. --- messageviewer/src/viewer/viewer_p.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/messageviewer/src/viewer/viewer_p.cpp b/messageviewer/src/viewer/viewer_p.cpp index 4591ab1592..c06e148902 100644 --- a/messageviewer/src/viewer/viewer_p.cpp +++ b/messageviewer/src/viewer/viewer_p.cpp @@ -396,7 +396,7 @@ bool ViewerPrivate::deleteAttachment(KMime::Content *node, bool showWarning) KMime::Message *modifiedMessage = mNodeHelper->messageWithExtraContent(mMessage.data()); mMimePartTree->mimePartModel()->setRoot(modifiedMessage); - mMessageItem.setPayloadFromData(modifiedMessage->encodedContent()); + mMessageItem.setPayloadFromData(mMessage->encodedContent()); auto job = new Akonadi::ItemModifyJob(mMessageItem, mSession); job->disableRevisionCheck(); connect(job, &KJob::result, this, &ViewerPrivate::itemModifiedResult); -- 2.31.1
