Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Adam D. Barratt]

Control: tags -1 + pending

On Tue, 2017-08-22 at 21:18 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-08-21 at 18:04 +0200, Sandro Knauß wrote:
> > now I rebuilt the package with the attached debdif on a sbuild -d
> > stretch-
> > amd64 and tried kontact under a virtualbox.
> 
> Please go ahead.
> 

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#869573: Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Salvatore Bonaccorso]

Hi Sandro,

On Fri, Aug 25, 2017 at 07:49:05PM +0200, Sandro Knauß wrote:
> Hello security team,
> 
> just for you to mention the bug:
> 869573
> when updated will fix CVE-2017-9604 for jessie.
> 
> and the bugs
> 869574
> 869577
> will fix CVE-2017-9604 for stretch.
> 
> I saw at [1] that I've forgotten to send you this message.
> 
> See the discussion on 864804, why this is handled via pu.

Thanks for the heads up. We are tracking those already and will update
the security-tracker once the point releases have happened.

Thank you for taking care of those,

Regards,
Salvatore

Bug#869573: Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Sandro Knauß]

Hello security team,

just for you to mention the bug:
869573
when updated will fix CVE-2017-9604 for jessie.

and the bugs
869574
869577
will fix CVE-2017-9604 for stretch.

I saw at [1] that I've forgotten to send you this message.

See the discussion on 864804, why this is handled via pu.

Best Regards,

sandro

[1] https://security-tracker.debian.org/tracker/CVE-2017-9604

--

On Dienstag, 22. August 2017 21:18:23 CEST Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-08-21 at 18:04 +0200, Sandro Knauß wrote:
> > now I rebuilt the package with the attached debdif on a sbuild -d stretch-
> > amd64 and tried kontact under a virtualbox.
> 
> Please go ahead.
> 
> Regards,
> 
> Adam



signature.asc
Description: This is a digitally signed message part.

Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2017-08-21 at 18:04 +0200, Sandro Knauß wrote:
> now I rebuilt the package with the attached debdif on a sbuild -d stretch-
> amd64 and tried kontact under a virtualbox.

Please go ahead.

Regards,

Adam

Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Sandro Knauß]

Hey,

now I rebuilt the package with the attached debdif on a sbuild -d stretch-
amd64 and tried kontact under a virtualbox.

Best Regards,

sandro

--
On Montag, 24. Juli 2017 16:26:22 CEST Adam D. Barratt wrote:
> On 2017-07-24 15:45, Sandro Knauß wrote:
> > Control: tags -1 - moreinfo
> > 
> >> We'll need to see a debdiff of the proposed package, built and tested
> >> on
> >> stretch, before going any further, please.
> > 
> > The debdiff is the version, that is currently in testing. The diff was
> > created
> > when testing was in deep freeze, so actually the version state, that is
> > now in
> > stretch. The versionnumber may need to be adjusted.
> 
> It *will* need to be adjusted. You can't re-upload with a version number
> that's already been used.
> 
> Again, what was requested was a debdiff of the actual proposed package,
> not simply the result of comparing the current unstable/testing package
> against stable.
> 
> Regards,
> 
> Adam

diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog
--- kf5-messagelib-16.04.3/debian/changelog	2016-08-02 14:07:27.0 +0200
+++ kf5-messagelib-16.04.3/debian/changelog	2017-06-17 09:08:12.0 +0200
@@ -1,3 +1,13 @@
+kf5-messagelib (4:16.04.3-3~deb9u1) stretch; urgency=high
+
+  * Team upload.
+
+  [ Sandro Knauß ]
+  * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803)
+- Added upstream patch fix-CVE-2017-9604.patch
+
+ -- Sandro Knauß   Sat, 17 Jun 2017 09:08:12 +0200
+
 kf5-messagelib (4:16.04.3-2) unstable; urgency=high
 
   [ Automatic packaging ]
diff -Nru kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch
--- kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch	1970-01-01 01:00:00.0 +0100
+++ kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch	2017-06-17 09:08:12.0 +0200
@@ -0,0 +1,26 @@
+From c54706e990bbd6498e7b1597ec7900bc809e8197 Mon Sep 17 00:00:00 2001
+From: Montel Laurent 
+Date: Fri, 2 Jun 2017 13:56:41 +0200
+Subject: Make sure to sign/encrypt message when we send later
+
+(cherry picked from commit 4048f5e46d0a7d62d93d74fd2861dd70fb2ad660)
+---
+ messagecomposer/src/composer/composerviewbase.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp
+index d44b8b2..672ea1e 100644
+--- a/messagecomposer/src/composer/composerviewbase.cpp
 b/messagecomposer/src/composer/composerviewbase.cpp
+@@ -468,7 +468,7 @@ void MessageComposer::ComposerViewBase::slotEmailAddressResolved(KJob *job)
+ // if so, we create a composer per format
+ // if we aren't signing or encrypting, this just returns a single empty message
+ bool wasCanceled = false;
+-if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone) {
++if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone && !mSendLaterInfo) {
+ MessageComposer::Composer *composer = new MessageComposer::Composer;
+ composer->setNoCrypto(true);
+ m_composers.append(composer);
+-- 
+cgit v0.11.2
+
diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series
--- kf5-messagelib-16.04.3/debian/patches/series	2016-08-02 14:07:27.0 +0200
+++ kf5-messagelib-16.04.3/debian/patches/series	2017-06-17 09:08:12.0 +0200
@@ -1,2 +1,3 @@
 upstream_add_copying_files.patch
 make-it-impossible-to-override-css-settings-from-a-h.patch
+fix-CVE-2017-9604.patch


signature.asc
Description: This is a digitally signed message part.

Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Adam D. Barratt]

On 2017-07-24 15:45, Sandro Knauß wrote:

Control: tags -1 - moreinfo

We'll need to see a debdiff of the proposed package, built and tested 
on

stretch, before going any further, please.


The debdiff is the version, that is currently in testing. The diff was 
created
when testing was in deep freeze, so actually the version state, that is 
now in

stretch. The versionnumber may need to be adjusted.


It *will* need to be adjusted. You can't re-upload with a version number 
that's already been used.


Again, what was requested was a debdiff of the actual proposed package, 
not simply the result of comparing the current unstable/testing package 
against stable.


Regards,

Adam

Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Sandro Knauß]

Control: tags -1 - moreinfo
 
> We'll need to see a debdiff of the proposed package, built and tested on
> stretch, before going any further, please.

The debdiff is the version, that is currently in testing. The diff was created 
when testing was in deep freeze, so actually the version state, that is now in 
stretch. The versionnumber may need to be adjusted.

Best Regards,

sandro
diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog
--- kf5-messagelib-16.04.3/debian/changelog	2016-08-02 14:07:27.0 +0200
+++ kf5-messagelib-16.04.3/debian/changelog	2017-06-17 09:08:12.0 +0200
@@ -1,3 +1,13 @@
+kf5-messagelib (4:16.04.3-3) unstable; urgency=high
+
+  * Team upload.
+
+  [ Sandro Knauß ]
+  * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803)
+- Added upstream patch fix-CVE-2017-9604.patch
+
+ -- Sandro Knauß   Sat, 17 Jun 2017 09:08:12 +0200
+
 kf5-messagelib (4:16.04.3-2) unstable; urgency=high
 
   [ Automatic packaging ]
diff -Nru kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch
--- kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch	1970-01-01 01:00:00.0 +0100
+++ kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch	2017-06-17 08:35:48.0 +0200
@@ -0,0 +1,26 @@
+From c54706e990bbd6498e7b1597ec7900bc809e8197 Mon Sep 17 00:00:00 2001
+From: Montel Laurent 
+Date: Fri, 2 Jun 2017 13:56:41 +0200
+Subject: Make sure to sign/encrypt message when we send later
+
+(cherry picked from commit 4048f5e46d0a7d62d93d74fd2861dd70fb2ad660)
+---
+ messagecomposer/src/composer/composerviewbase.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp
+index d44b8b2..672ea1e 100644
+--- a/messagecomposer/src/composer/composerviewbase.cpp
 b/messagecomposer/src/composer/composerviewbase.cpp
+@@ -468,7 +468,7 @@ void MessageComposer::ComposerViewBase::slotEmailAddressResolved(KJob *job)
+ // if so, we create a composer per format
+ // if we aren't signing or encrypting, this just returns a single empty message
+ bool wasCanceled = false;
+-if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone) {
++if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone && !mSendLaterInfo) {
+ MessageComposer::Composer *composer = new MessageComposer::Composer;
+ composer->setNoCrypto(true);
+ m_composers.append(composer);
+-- 
+cgit v0.11.2
+
diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series
--- kf5-messagelib-16.04.3/debian/patches/series	2016-08-02 14:07:27.0 +0200
+++ kf5-messagelib-16.04.3/debian/patches/series	2017-06-17 09:02:09.0 +0200
@@ -1,2 +1,3 @@
 upstream_add_copying_files.patch
 make-it-impossible-to-override-css-settings-from-a-h.patch
+fix-CVE-2017-9604.patch


signature.asc
Description: This is a digitally signed message part.

Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Adam D. Barratt]

Control: tags -1 + moreinfo

On 2017-07-24 15:22, Sandro Knauß wrote:

in order to fix CVE-2017-9604: "Send Later with Delay bypasses
OpenPGP" (Closes: #864803), I want to request a point update for 
kdepim.

As discussed in #864803, the security team don't want to warrent a DSA
on it's own. And propose to do a pu for kf5-messagelib.


We'll need to see a debdiff of the proposed package, built and tested on 
stretch, before going any further, please.


Regards,

Adam

Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Sandro Knauß]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu


Hey,

in order to fix CVE-2017-9604: "Send Later with Delay bypasses
OpenPGP" (Closes: #864803), I want to request a point update for kdepim.
As discussed in #864803, the security team don't want to warrent a DSA
on it's own. And propose to do a pu for kf5-messagelib.

Just for keeping the overview:
* for jessie we need only kdepim updated (see #869573)
* for stretch the kdepim package was splitted into kf5-messagelib and 
  kdepim, and both needs to be updated in order to fix CVE-2017-9604.
  Both packages are fixed in testing with the version:
  kdepim 4:16.04.3-4 (see #869574)
  kf5-messagelib 4:16.04.3-3

Best Regards,

sandro


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'oldstable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)