subject:"Bug#899128\: kdepim\: Limit CVE\-2017\-17689 \(EFAIL\) even more for kmail"

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

2019-04-09 Thread Ivo De Decker


Hi,

On 04/09/2019 09:19 PM, Moritz Muehlenhoff wrote:


The tracker for CVE-2017-17689 doesn't list anything related to kdepim or
src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced
by src:meta-kde) in buster? If so, that should probably be stated explicitly
in the tracker.


For buster the affected code is in src:kf5-messagelib and fixed in 4:18.08.1-1

In stretch the affected code is in src:kdepim

In Buster the binary package kdepim is now built out of src:meta-kde, but that
was never affected. That's we don't track src:meta-kde at all in
https://security-tracker.debian.org/tracker/CVE-2017-17689

Does that clarify?


Yes. I (incorrectly) assumed that the offending code had been in 
meta-kde in buster at some point. As that's not the case, there is 
nothing left to fix for buster.


Thanks for the clarification.

Ivo

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

2019-04-09 Thread Moritz Muehlenhoff

On Tue, Apr 09, 2019 at 06:49:16PM +0200, Ivo De Decker wrote:
> Hi Salvatore,
> 
> On 4/8/19 10:59 PM, Salvatore Bonaccorso wrote:
> > Control: reassign -1 src:kdepim
> > On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote:
> > > Hi,
> > > 
> > > On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote:
> > > > I now created a debdiff for kdepim. The patch depdends on the new 
> > > > symbol that
> > > > was added in new messageviewer (see #899127).
> > > 
> > > Does this bug still affect buster/sid? From the bug log and the tracker 
> > > for
> > > CVE-2017-17689, it look like kmail in buster/sid is not affected, but it 
> > > would
> > > be good if someone could confirm that.
> > 
> > I think the tracking problem was hiere that #899128 is associated with
> > src:meta-kde, but it should be src:kdepim (#899128) and respectively
> > kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib
> > in version 4:18.08.1-1. In stretch src:kdepim was a source package,
> > whilst in buster kdepim is a binary package produced by kde-meta, but
> > the issue lies there in src:kf5-messagelib.
> 
> The tracker for CVE-2017-17689 doesn't list anything related to kdepim or
> src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced
> by src:meta-kde) in buster? If so, that should probably be stated explicitly
> in the tracker.

For buster the affected code is in src:kf5-messagelib and fixed in 4:18.08.1-1

In stretch the affected code is in src:kdepim

In Buster the binary package kdepim is now built out of src:meta-kde, but that
was never affected. That's we don't track src:meta-kde at all in
https://security-tracker.debian.org/tracker/CVE-2017-17689

Does that clarify?

Cheers,
Moritz

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

2019-04-09 Thread Ivo De Decker


Hi Salvatore,

On 4/8/19 10:59 PM, Salvatore Bonaccorso wrote:

Control: reassign -1 src:kdepim
On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote:

Hi,

On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote:

I now created a debdiff for kdepim. The patch depdends on the new symbol that
was added in new messageviewer (see #899127).


Does this bug still affect buster/sid? From the bug log and the tracker for
CVE-2017-17689, it look like kmail in buster/sid is not affected, but it would
be good if someone could confirm that.


I think the tracking problem was hiere that #899128 is associated with
src:meta-kde, but it should be src:kdepim (#899128) and respectively
kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib
in version 4:18.08.1-1. In stretch src:kdepim was a source package,
whilst in buster kdepim is a binary package produced by kde-meta, but
the issue lies there in src:kf5-messagelib.


The tracker for CVE-2017-17689 doesn't list anything related to kdepim 
or src:meta-kde for buster. Is the issue fixed in the binary kdepim 
(produced by src:meta-kde) in buster? If so, that should probably be 
stated explicitly in the tracker.


The reassign means that the BTS thinks this issue doesn't affect buster 
anymore. I'm assuming that's correct.


Thanks,

Ivo

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

2019-04-08 Thread Salvatore Bonaccorso

Control: reassign -1 src:kdepim

Hi Ivo,

On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote:
> Hi,
> 
> On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote:
> > I now created a debdiff for kdepim. The patch depdends on the new symbol 
> > that 
> > was added in new messageviewer (see #899127).
> 
> Does this bug still affect buster/sid? From the bug log and the tracker for
> CVE-2017-17689, it look like kmail in buster/sid is not affected, but it would
> be good if someone could confirm that.

I think the tracking problem was hiere that #899128 is associated with
src:meta-kde, but it should be src:kdepim (#899128) and respectively
kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib
in version 4:18.08.1-1. In stretch src:kdepim was a source package,
whilst in buster kdepim is a binary package produced by kde-meta, but
the issue lies there in src:kf5-messagelib.

Regards,
Salvatore

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

2019-04-08 Thread Ivo De Decker

Hi,

On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote:
> I now created a debdiff for kdepim. The patch depdends on the new symbol that 
> was added in new messageviewer (see #899127).

Does this bug still affect buster/sid? From the bug log and the tracker for
CVE-2017-17689, it look like kmail in buster/sid is not affected, but it would
be good if someone could confirm that.

Thanks,

Ivo

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

2018-05-19 Thread Sandro Knauß

Control: tags -1 +patch

Hey,

I now created a debdiff for kdepim. The patch depdends on the new symbol that 
was added in new messageviewer (see #899127).

hefeediff -Nru kdepim-16.04.3/debian/changelog kdepim-16.04.3/debian/changelog
--- kdepim-16.04.3/debian/changelog	2017-06-17 12:12:03.0 +0200
+++ kdepim-16.04.3/debian/changelog	2018-05-19 19:11:15.0 +0200
@@ -1,3 +1,15 @@
+kdepim (4:16.04.3-4~deb9u2) stretch; urgency=high
+
+  * Team upload.
+
+  [ Sandro Knauß ]
+  * Limit CVE-2017-17689 (EFAIL) for kmail (Closes: #899128)
+- Added upstream patch (modified to apply)
+  upstream-Distinguish-between-settings-and-explicit-overrides-.patch
+- Update dependendy against kf5-messagelib
+
+ -- Sandro Knauß   Sat, 19 May 2018 19:11:15 +0200
+
 kdepim (4:16.04.3-4~deb9u1) stretch; urgency=high
 
   * Team upload.
diff -Nru kdepim-16.04.3/debian/control kdepim-16.04.3/debian/control
--- kdepim-16.04.3/debian/control	2017-06-17 12:12:03.0 +0200
+++ kdepim-16.04.3/debian/control	2018-05-19 18:21:40.0 +0200
@@ -73,7 +73,7 @@
libkf5messagecomposer-dev,
libkf5messagecore-dev (>= 5.2.0~),
libkf5messagelist-dev,
-   libkf5messageviewer-dev (>= 5.2.0~),
+   libkf5messageviewer-dev (>= 4:16.04.3-3~deb9u2),
libkf5mime-dev (>= 15.12~),
libkf5newstuff-dev (>= 5.19.0~),
libkf5notifyconfig-dev (>= 5.19.0~),
diff -Nru kdepim-16.04.3/debian/patches/series kdepim-16.04.3/debian/patches/series
--- kdepim-16.04.3/debian/patches/series	2017-06-17 12:12:03.0 +0200
+++ kdepim-16.04.3/debian/patches/series	2018-05-19 17:49:42.0 +0200
@@ -5,3 +5,4 @@
 fix_crash_when_a_second_instance_of_KAlarm_is_started.patch
 konsolekalendar_help.patch
 fix-CVE-2017-9604.patch
+upstream-Distinguish-between-settings-and-explicit-overrides-.patch
diff -Nru kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch
--- kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch	1970-01-01 01:00:00.0 +0100
+++ kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch	2018-05-19 18:18:28.0 +0200
@@ -0,0 +1,115 @@
+From 88558f6273650a03d2828027e04116564ca18f20 Mon Sep 17 00:00:00 2001
+From: Volker Krause 
+Date: Thu, 26 Apr 2018 18:44:24 +0200
+Subject: [PATCH 3/9] Distinguish between settings and explicit overrides for
+ external content
+
+Summary: See D12391 and D12393 in messagelib.
+
+Reviewers: mlaurent, dvratil, knauss
+
+Reviewed By: knauss
+
+Subscribers: #kde_pim
+
+Tags: #kde_pim
+
+Differential Revision: https://phabricator.kde.org/D12394
+---
+ kmail/kmmainwidget.cpp| 6 +++---
+ kmail/kmreadermainwin.cpp | 4 ++--
+ kmail/kmreadermainwin.h   | 2 +-
+ kmail/kmreaderwin.cpp | 9 +++--
+ kmail/kmreaderwin.h   | 3 ++-
+ 5 files changed, 15 insertions(+), 9 deletions(-)
+
+--- a/kmail/kmmainwidget.cpp
 b/kmail/kmmainwidget.cpp
+@@ -513,7 +513,7 @@ void KMMainWidget::folderSelected(const
+ readFolderConfig();
+ if (mMsgView) {
+ mMsgView->setDisplayFormatMessageOverwrite(mFolderDisplayFormatPreference);
+-mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference);
++mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference);
+ }
+ 
+ if (!mCurrentFolder->isValid() && (mMessagePane->count() < 2)) {
+@@ -1593,7 +1593,7 @@ void KMMainWidget::slotOverrideHtmlLoadE
+ mFolderHtmlLoadExtPreference = !mFolderHtmlLoadExtPreference;
+ 
+ if (mMsgView) {
+-mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference);
++mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference);
+ mMsgView->update(true);
+ }
+ }
+@@ -4391,7 +4391,7 @@ void KMMainWidget::itemsReceived(const A
+ mMsgView->setMessage(copyItem);
+ // reset HTML override to the folder setting
+ mMsgView->setDisplayFormatMessageOverwrite(mFolderDisplayFormatPreference);
+-mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference);
++mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference);
+ mMsgView->setDecryptMessageOverwrite(false);
+ mMsgActions->setCurrentMessage(copyItem);
+ }
+--- a/kmail/kmreadermainwin.cpp
 b/kmail/kmreadermainwin.cpp
+@@ -72,14 +72,14 @@
+ 
+ using namespace MailCommon;
+ 
+-KMReaderMainWin::KMReaderMainWin(MessageViewer::Viewer::DisplayFormatMessage format, bool htmlLoadExtOverride,
++KMReaderMainWin::KMReaderMainWin(MessageViewer::Viewer::DisplayFormatMessage format, bool htmlLoadExtDefault,
+  char *name)
+ : KMail::SecondaryWindow(name ? name : "readerwindow#")
+ {
+ mReaderWin = new KMReaderWin(this, this, actionCollection());
+

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

6 matches

Site Navigation

Mail list logo

Footer information