Bug#793508: kmail: contacts gravatar.com to fetch face images of senders of opened mails by default

[Dominik George]

Package: kmail
Version: 4:4.14.10-2
Followup-For: Bug #793508

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I also see this happen. Suddenly, one of my coworkers had a donkey in
every mail he sent.

This effectively leaks information about who I receive mail from to any
network operator on the route to the internet.

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: systemd (via /run/systemd/system)

Versions of packages kmail depends on:
ii  kde-runtime   4:15.08.0-2
ii  kdepim-runtime4:4.14.10-2
ii  kdepimlibs-kio-plugins4:4.14.10-1
ii  libakonadi-calendar4  4:4.14.10-1
ii  libakonadi-contact4   4:4.14.10-1
ii  libakonadi-kde4   4:4.14.10-1
ii  libakonadi-kmime4 4:4.14.10-1
ii  libakonadiprotocolinternals1  1.13.0-8
ii  libc6 2.19-19
ii  libcalendarsupport4   4:4.14.10-2
ii  libfollowupreminder4  4:4.14.10-2
ii  libgcc1   1:5.2.1-16
ii  libgpgme++2v5 4:4.14.10-1
ii  libgrantlee-core0 0.4.0-3
ii  libincidenceeditorsng44:4.14.10-2
ii  libkabc4  4:4.14.10-1
ii  libkalarmcal2 4:4.14.10-1
ii  libkcalcore4  4:4.14.10-1
ii  libkcalutils4 4:4.14.10-1
ii  libkcmutils4  4:4.14.10-3
ii  libkdecore5   4:4.14.10-3
ii  libkdepim44:4.14.10-2
ii  libkdeui5 4:4.14.10-3
ii  libkio5   4:4.14.10-3
ii  libkleo4  4:4.14.10-2
ii  libkmanagesieve4  4:4.14.10-2
ii  libkmime4 4:4.14.10-1
ii  libknotifyconfig4 4:4.14.10-3
ii  libkontactinterface4a 4:4.14.10-1
ii  libkparts44:4.14.10-3
ii  libkpimidentities44:4.14.10-1
ii  libkpimtextedit4  4:4.14.10-1
ii  libkpimutils4 4:4.14.10-1
ii  libkprintutils4   4:4.14.10-3
ii  libksieveui4  4:4.14.10-2
ii  libmailcommon44:4.14.10-2
ii  libmailimporter4  4:4.14.10-2
ii  libmailtransport4 4:4.14.10-1
ii  libmessagecomposer4   4:4.14.10-2
ii  libmessagecore4   4:4.14.10-2
ii  libmessagelist4   4:4.14.10-2
ii  libmessageviewer4 4:4.14.10-2
ii  libpimcommon4 4:4.14.10-2
ii  libqt4-dbus   4:4.8.7+dfsg-3
ii  libqt4-network4:4.8.7+dfsg-3
ii  libqt4-xml4:4.8.7+dfsg-3
ii  libqtcore44:4.8.7+dfsg-3
ii  libqtgui4 4:4.8.7+dfsg-3
ii  libqtwebkit4  2.3.4.dfsg-4
ii  libsendlater4 4:4.14.10-2
ii  libsolid4 4:4.14.10-3
ii  libstdc++65.2.1-16
ii  libtemplateparser44:4.14.10-2
ii  perl  5.20.2-6

Versions of packages kmail recommends:
ii  gnupg-agent 2.1.7-2
ii  gnupg2  2.1.7-2
ii  kdepim-doc  4:4.14.10-2
pn  kdepim-themeditors  
ii  ktnef   4:4.14.10-2
ii  pinentry-gnome3 [pinentry-x11]  0.9.5-4
ii  pinentry-gtk2 [pinentry-x11]0.9.5-4
ii  pinentry-qt4 [pinentry-x11] 0.9.5-4

Versions of packages kmail suggests:
pn  clamav  
ii  kaddressbook4:4.14.10-2
ii  kleopatra   4:4.14.10-2
ii  procmail3.22-25
pn  spamassassin | bogofilter | annoyance-filter | spambayes | bsf  

- -- no debconf information

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJOBAEBCAA4BQJV7sKHMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n
cGctcG9saWN5LnR4dC5hc2MACgkQt5o8FqDE8pbPHA//f9+OoQ8YwolnAkfuvlS9
RKsolaMje1k/dAsru/Rxl/4FenUecVtRqBbR+VLxWojksrj7i+lKow3bZmTo/vGc
gwzgpgEOjnB/PEFvq1WsvcdUUJ0BxtQ7FOgZ6c0eE5nBx8+s30exn/fJR6zuXP3V
hlRsn7BjH2gzZkq3GT6uJIWIniQ55fr3ClqHjvyTdtp8gVLNoqKIhX/8/EEtxFrC
Jxwd4HaennvrOyNHW6lR7DIU4V5Qr02NRyIcqhH/YkgYAFq0vge65XfTvKOZ3kbk
kNrMRWojZH7UefvrB3913YlxwI640zbdJrrlSpkiRbwQBV5es8gjO/KhHH2QN7wf
+CV/DDhtPGvw8K0HzBYzZbX6pbQ3KvV91cTXRkMsD3BcfGn0/mKSQn/W6r6FckLJ
QxEoWoiqRm1b+8PIqOgQm7zBt+BODEBGZ1+uDZFvA4kd4BrmZLw2pM9+p5pM78wZ
Z0vobWRM+vKTKot55gbFr/fuVUd6uK3d2k4XbQZPXejrvaxIjLY0H4dvRslED17e
YDE7m13N3+1PIUU9Xtt+1H4tvZBmG780lfjchKQA59scyOuB6ZDeimaeNbdmJ461
AEjyn3hhPzdbs7gx4WbwbSPR8zE1vhwsISvREPafsSGba/lbGMEsmaTce+j3G6Xt
kUGtIWRVf5SLOF7JyAmKvbk=
=x/fp
-END PGP SIGNATURE-

Bug#793508: kmail: contacts gravatar.com to fetch face images of senders of opened mails by default

[Martin Steigerwald]

Package: kmail
Version: 4:4.14.5-1
Severity: important

Dear Maintainer,

I just found out after reading kde-pim upstream mailing list that KMail as
packaged in Debian experimental, I am not sure whether the Sid version is
also affected, contacts gravatar.com to fetch face images of senders of
opened mails by default¹.

This was not the intention of the developer adding gravatar.com support to
it.

I just posted the following information to debian-kde mailing list:

---
If you do not want KMail to connect to gravatar.com to find faces for mail
identities, you can disable it in Configure / Appearance / Message window
(last one roughly translated from german).
---

But as not everyone reads it and this is a privacy leak, it may make sense
to upload a package that changes the default.

As to the thread the enabled by default mistake has been fixed in KF5
based kmail which is due to release with KDE Applications 15.08 in August.

Please note it is not my intention to point fingers or such. I assume good
intentions, errors can happen. So this is just about fixing the privacy
leak being enabled by default.


[1] kde-pim mailinglist, Thread [Kde-pim] how does kmail find face-like
images from mail senders ? started by Martin Koller, specifically:
Message-ID: 2126112.rfxk9ju...@collossus.ingo-kloecker.de
Message-ID: 1996527.JvW9aqgcpS@linux-19td

Mailinglist archive at https://mail.kde.org/pipermail/kde-pim/ is currently
broken.

Thanks,
Martin

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-rc3-tp520-btrfstrim+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages kmail depends on:
ii  kde-runtime   4:14.12.3-1
ii  kdepim-runtime4:4.14.6-1
ii  kdepimlibs-kio-plugins4:4.14.6-1
ii  libakonadi-calendar4  4:4.14.6-1
ii  libakonadi-contact4   4:4.14.6-1
ii  libakonadi-kde4   4:4.14.6-1
ii  libakonadi-kmime4 4:4.14.6-1
ii  libakonadiprotocolinternals1  1.13.0-7
ii  libc6 2.19-19
ii  libcalendarsupport4   4:4.14.5-1
ii  libfollowupreminder4  4:4.14.5-1
ii  libgcc1   1:5.1.1-14
ii  libgpgme++2   4:4.14.6-1
ii  libgrantlee-core0 0.4.0-2
ii  libincidenceeditorsng44:4.14.5-1
ii  libkabc4  4:4.14.6-1
ii  libkalarmcal2 4:4.14.6-1
ii  libkcalcore4  4:4.14.6-1
ii  libkcalutils4 4:4.14.6-1
ii  libkcmutils4  4:4.14.2-5
ii  libkdecore5   4:4.14.2-5
ii  libkdepim44:4.14.5-1
ii  libkdeui5 4:4.14.2-5
ii  libkio5   4:4.14.2-5
ii  libkleo4  4:4.14.5-1
ii  libkmanagesieve4  4:4.14.5-1
ii  libkmime4 4:4.14.6-1
ii  libknotifyconfig4 4:4.14.2-5
ii  libkontactinterface4a 4:4.14.6-1
ii  libkparts44:4.14.2-5
ii  libkpgp4  4:4.14.5-1
ii  libkpimidentities44:4.14.6-1
ii  libkpimtextedit4  4:4.14.6-1
ii  libkpimutils4 4:4.14.6-1
ii  libkprintutils4   4:4.14.2-5
ii  libksieveui4  4:4.14.5-1
ii  libmailcommon44:4.14.5-1
ii  libmailimporter4  4:4.14.5-1
ii  libmailtransport4 4:4.14.6-1
ii  libmessagecomposer4   4:4.14.5-1
ii  libmessagecore4   4:4.14.5-1
ii  libmessagelist4   4:4.14.5-1
ii  libmessageviewer4 4:4.14.5-1
ii  libpimcommon4 4:4.14.5-1
ii  libqt4-dbus   4:4.8.7+dfsg-1
ii  libqt4-network4:4.8.7+dfsg-1
ii  libqt4-xml4:4.8.7+dfsg-1
ii  libqtcore44:4.8.7+dfsg-1
ii  libqtgui4 4:4.8.7+dfsg-1
ii  libqtwebkit4  2.3.4.dfsg-3
ii  libsendlater4 4:4.14.5-1
ii  libsolid4 4:4.14.2-5
ii  libstdc++65.1.1-14
ii  libtemplateparser44:4.14.5-1
ii  perl  5.20.2-6

Versions of packages kmail recommends:
ii  gnupg-agent 2.0.28-3
ii  gnupg2  2.0.28-3
ii  kdepim-doc  4:4.14.5-1
pn  kdepim-themeditors  none
ii  ktnef   4:4.14.5-1
ii  pinentry-gnome3 [pinentry-x11]  0.9.5-2
ii  pinentry-gtk2 [pinentry-x11]0.9.5-2
ii  pinentry-qt4 [pinentry-x11] 0.9.5-2

Versions of packages kmail suggests:
ii  bogofilter1.2.4+dfsg1-3
pn  clamav