Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Control: tags -1 + pending On Tue, 2017-08-22 at 21:18 +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2017-08-21 at 18:04 +0200, Sandro Knauß wrote: > > now I rebuilt the package with the attached debdif on a sbuild -d > > stretch- > > amd64 and tried kontact under a virtualbox. > > Please go ahead. > Uploaded and flagged for acceptance. Regards, Adam
Bug#869573: Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Hi Sandro, On Fri, Aug 25, 2017 at 07:49:05PM +0200, Sandro Knauß wrote: > Hello security team, > > just for you to mention the bug: > 869573 > when updated will fix CVE-2017-9604 for jessie. > > and the bugs > 869574 > 869577 > will fix CVE-2017-9604 for stretch. > > I saw at [1] that I've forgotten to send you this message. > > See the discussion on 864804, why this is handled via pu. Thanks for the heads up. We are tracking those already and will update the security-tracker once the point releases have happened. Thank you for taking care of those, Regards, Salvatore
Bug#869573: Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Hello security team, just for you to mention the bug: 869573 when updated will fix CVE-2017-9604 for jessie. and the bugs 869574 869577 will fix CVE-2017-9604 for stretch. I saw at [1] that I've forgotten to send you this message. See the discussion on 864804, why this is handled via pu. Best Regards, sandro [1] https://security-tracker.debian.org/tracker/CVE-2017-9604 -- On Dienstag, 22. August 2017 21:18:23 CEST Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2017-08-21 at 18:04 +0200, Sandro Knauß wrote: > > now I rebuilt the package with the attached debdif on a sbuild -d stretch- > > amd64 and tried kontact under a virtualbox. > > Please go ahead. > > Regards, > > Adam signature.asc Description: This is a digitally signed message part.
Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Control: tags -1 + confirmed On Mon, 2017-08-21 at 18:04 +0200, Sandro Knauß wrote: > now I rebuilt the package with the attached debdif on a sbuild -d stretch- > amd64 and tried kontact under a virtualbox. Please go ahead. Regards, Adam
Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Hey, now I rebuilt the package with the attached debdif on a sbuild -d stretch- amd64 and tried kontact under a virtualbox. Best Regards, sandro -- On Montag, 24. Juli 2017 16:26:22 CEST Adam D. Barratt wrote: > On 2017-07-24 15:45, Sandro Knauß wrote: > > Control: tags -1 - moreinfo > > > >> We'll need to see a debdiff of the proposed package, built and tested > >> on > >> stretch, before going any further, please. > > > > The debdiff is the version, that is currently in testing. The diff was > > created > > when testing was in deep freeze, so actually the version state, that is > > now in > > stretch. The versionnumber may need to be adjusted. > > It *will* need to be adjusted. You can't re-upload with a version number > that's already been used. > > Again, what was requested was a debdiff of the actual proposed package, > not simply the result of comparing the current unstable/testing package > against stable. > > Regards, > > Adam diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog --- kf5-messagelib-16.04.3/debian/changelog 2016-08-02 14:07:27.0 +0200 +++ kf5-messagelib-16.04.3/debian/changelog 2017-06-17 09:08:12.0 +0200 @@ -1,3 +1,13 @@ +kf5-messagelib (4:16.04.3-3~deb9u1) stretch; urgency=high + + * Team upload. + + [ Sandro Knauß ] + * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803) +- Added upstream patch fix-CVE-2017-9604.patch + + -- Sandro KnaußSat, 17 Jun 2017 09:08:12 +0200 + kf5-messagelib (4:16.04.3-2) unstable; urgency=high [ Automatic packaging ] diff -Nru kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch --- kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch 1970-01-01 01:00:00.0 +0100 +++ kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch 2017-06-17 09:08:12.0 +0200 @@ -0,0 +1,26 @@ +From c54706e990bbd6498e7b1597ec7900bc809e8197 Mon Sep 17 00:00:00 2001 +From: Montel Laurent +Date: Fri, 2 Jun 2017 13:56:41 +0200 +Subject: Make sure to sign/encrypt message when we send later + +(cherry picked from commit 4048f5e46d0a7d62d93d74fd2861dd70fb2ad660) +--- + messagecomposer/src/composer/composerviewbase.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp +index d44b8b2..672ea1e 100644 +--- a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp +@@ -468,7 +468,7 @@ void MessageComposer::ComposerViewBase::slotEmailAddressResolved(KJob *job) + // if so, we create a composer per format + // if we aren't signing or encrypting, this just returns a single empty message + bool wasCanceled = false; +-if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone) { ++if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone && !mSendLaterInfo) { + MessageComposer::Composer *composer = new MessageComposer::Composer; + composer->setNoCrypto(true); + m_composers.append(composer); +-- +cgit v0.11.2 + diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series --- kf5-messagelib-16.04.3/debian/patches/series 2016-08-02 14:07:27.0 +0200 +++ kf5-messagelib-16.04.3/debian/patches/series 2017-06-17 09:08:12.0 +0200 @@ -1,2 +1,3 @@ upstream_add_copying_files.patch make-it-impossible-to-override-css-settings-from-a-h.patch +fix-CVE-2017-9604.patch signature.asc Description: This is a digitally signed message part.
Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
On 2017-07-24 15:45, Sandro Knauß wrote: Control: tags -1 - moreinfo We'll need to see a debdiff of the proposed package, built and tested on stretch, before going any further, please. The debdiff is the version, that is currently in testing. The diff was created when testing was in deep freeze, so actually the version state, that is now in stretch. The versionnumber may need to be adjusted. It *will* need to be adjusted. You can't re-upload with a version number that's already been used. Again, what was requested was a debdiff of the actual proposed package, not simply the result of comparing the current unstable/testing package against stable. Regards, Adam
Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Control: tags -1 - moreinfo > We'll need to see a debdiff of the proposed package, built and tested on > stretch, before going any further, please. The debdiff is the version, that is currently in testing. The diff was created when testing was in deep freeze, so actually the version state, that is now in stretch. The versionnumber may need to be adjusted. Best Regards, sandro diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog --- kf5-messagelib-16.04.3/debian/changelog 2016-08-02 14:07:27.0 +0200 +++ kf5-messagelib-16.04.3/debian/changelog 2017-06-17 09:08:12.0 +0200 @@ -1,3 +1,13 @@ +kf5-messagelib (4:16.04.3-3) unstable; urgency=high + + * Team upload. + + [ Sandro Knauß ] + * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803) +- Added upstream patch fix-CVE-2017-9604.patch + + -- Sandro KnaußSat, 17 Jun 2017 09:08:12 +0200 + kf5-messagelib (4:16.04.3-2) unstable; urgency=high [ Automatic packaging ] diff -Nru kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch --- kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch 1970-01-01 01:00:00.0 +0100 +++ kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch 2017-06-17 08:35:48.0 +0200 @@ -0,0 +1,26 @@ +From c54706e990bbd6498e7b1597ec7900bc809e8197 Mon Sep 17 00:00:00 2001 +From: Montel Laurent +Date: Fri, 2 Jun 2017 13:56:41 +0200 +Subject: Make sure to sign/encrypt message when we send later + +(cherry picked from commit 4048f5e46d0a7d62d93d74fd2861dd70fb2ad660) +--- + messagecomposer/src/composer/composerviewbase.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp +index d44b8b2..672ea1e 100644 +--- a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp +@@ -468,7 +468,7 @@ void MessageComposer::ComposerViewBase::slotEmailAddressResolved(KJob *job) + // if so, we create a composer per format + // if we aren't signing or encrypting, this just returns a single empty message + bool wasCanceled = false; +-if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone) { ++if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone && !mSendLaterInfo) { + MessageComposer::Composer *composer = new MessageComposer::Composer; + composer->setNoCrypto(true); + m_composers.append(composer); +-- +cgit v0.11.2 + diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series --- kf5-messagelib-16.04.3/debian/patches/series 2016-08-02 14:07:27.0 +0200 +++ kf5-messagelib-16.04.3/debian/patches/series 2017-06-17 09:02:09.0 +0200 @@ -1,2 +1,3 @@ upstream_add_copying_files.patch make-it-impossible-to-override-css-settings-from-a-h.patch +fix-CVE-2017-9604.patch signature.asc Description: This is a digitally signed message part.
Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Control: tags -1 + moreinfo On 2017-07-24 15:22, Sandro Knauß wrote: in order to fix CVE-2017-9604: "Send Later with Delay bypasses OpenPGP" (Closes: #864803), I want to request a point update for kdepim. As discussed in #864803, the security team don't want to warrent a DSA on it's own. And propose to do a pu for kf5-messagelib. We'll need to see a debdiff of the proposed package, built and tested on stretch, before going any further, please. Regards, Adam
Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hey, in order to fix CVE-2017-9604: "Send Later with Delay bypasses OpenPGP" (Closes: #864803), I want to request a point update for kdepim. As discussed in #864803, the security team don't want to warrent a DSA on it's own. And propose to do a pu for kf5-messagelib. Just for keeping the overview: * for jessie we need only kdepim updated (see #869573) * for stretch the kdepim package was splitted into kf5-messagelib and kdepim, and both needs to be updated in order to fix CVE-2017-9604. Both packages are fixed in testing with the version: kdepim 4:16.04.3-4 (see #869574) kf5-messagelib 4:16.04.3-3 Best Regards, sandro -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)