Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
Hi, On 04/09/2019 09:19 PM, Moritz Muehlenhoff wrote: The tracker for CVE-2017-17689 doesn't list anything related to kdepim or src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced by src:meta-kde) in buster? If so, that should probably be stated explicitly in the tracker. For buster the affected code is in src:kf5-messagelib and fixed in 4:18.08.1-1 In stretch the affected code is in src:kdepim In Buster the binary package kdepim is now built out of src:meta-kde, but that was never affected. That's we don't track src:meta-kde at all in https://security-tracker.debian.org/tracker/CVE-2017-17689 Does that clarify? Yes. I (incorrectly) assumed that the offending code had been in meta-kde in buster at some point. As that's not the case, there is nothing left to fix for buster. Thanks for the clarification. Ivo
Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
On Tue, Apr 09, 2019 at 06:49:16PM +0200, Ivo De Decker wrote: > Hi Salvatore, > > On 4/8/19 10:59 PM, Salvatore Bonaccorso wrote: > > Control: reassign -1 src:kdepim > > On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote: > > > Hi, > > > > > > On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote: > > > > I now created a debdiff for kdepim. The patch depdends on the new > > > > symbol that > > > > was added in new messageviewer (see #899127). > > > > > > Does this bug still affect buster/sid? From the bug log and the tracker > > > for > > > CVE-2017-17689, it look like kmail in buster/sid is not affected, but it > > > would > > > be good if someone could confirm that. > > > > I think the tracking problem was hiere that #899128 is associated with > > src:meta-kde, but it should be src:kdepim (#899128) and respectively > > kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib > > in version 4:18.08.1-1. In stretch src:kdepim was a source package, > > whilst in buster kdepim is a binary package produced by kde-meta, but > > the issue lies there in src:kf5-messagelib. > > The tracker for CVE-2017-17689 doesn't list anything related to kdepim or > src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced > by src:meta-kde) in buster? If so, that should probably be stated explicitly > in the tracker. For buster the affected code is in src:kf5-messagelib and fixed in 4:18.08.1-1 In stretch the affected code is in src:kdepim In Buster the binary package kdepim is now built out of src:meta-kde, but that was never affected. That's we don't track src:meta-kde at all in https://security-tracker.debian.org/tracker/CVE-2017-17689 Does that clarify? Cheers, Moritz
Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
Hi Salvatore, On 4/8/19 10:59 PM, Salvatore Bonaccorso wrote: Control: reassign -1 src:kdepim On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote: Hi, On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote: I now created a debdiff for kdepim. The patch depdends on the new symbol that was added in new messageviewer (see #899127). Does this bug still affect buster/sid? From the bug log and the tracker for CVE-2017-17689, it look like kmail in buster/sid is not affected, but it would be good if someone could confirm that. I think the tracking problem was hiere that #899128 is associated with src:meta-kde, but it should be src:kdepim (#899128) and respectively kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib in version 4:18.08.1-1. In stretch src:kdepim was a source package, whilst in buster kdepim is a binary package produced by kde-meta, but the issue lies there in src:kf5-messagelib. The tracker for CVE-2017-17689 doesn't list anything related to kdepim or src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced by src:meta-kde) in buster? If so, that should probably be stated explicitly in the tracker. The reassign means that the BTS thinks this issue doesn't affect buster anymore. I'm assuming that's correct. Thanks, Ivo
Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
Control: reassign -1 src:kdepim Hi Ivo, On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote: > Hi, > > On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote: > > I now created a debdiff for kdepim. The patch depdends on the new symbol > > that > > was added in new messageviewer (see #899127). > > Does this bug still affect buster/sid? From the bug log and the tracker for > CVE-2017-17689, it look like kmail in buster/sid is not affected, but it would > be good if someone could confirm that. I think the tracking problem was hiere that #899128 is associated with src:meta-kde, but it should be src:kdepim (#899128) and respectively kf5-messagelib was #899127. The issue was fixed in the kf5-messagelib in version 4:18.08.1-1. In stretch src:kdepim was a source package, whilst in buster kdepim is a binary package produced by kde-meta, but the issue lies there in src:kf5-messagelib. Regards, Salvatore
Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
Hi, On Sat, May 19, 2018 at 07:18:06PM +0200, Sandro Knauß wrote: > I now created a debdiff for kdepim. The patch depdends on the new symbol that > was added in new messageviewer (see #899127). Does this bug still affect buster/sid? From the bug log and the tracker for CVE-2017-17689, it look like kmail in buster/sid is not affected, but it would be good if someone could confirm that. Thanks, Ivo
Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail
Control: tags -1 +patch Hey, I now created a debdiff for kdepim. The patch depdends on the new symbol that was added in new messageviewer (see #899127). hefeediff -Nru kdepim-16.04.3/debian/changelog kdepim-16.04.3/debian/changelog --- kdepim-16.04.3/debian/changelog 2017-06-17 12:12:03.0 +0200 +++ kdepim-16.04.3/debian/changelog 2018-05-19 19:11:15.0 +0200 @@ -1,3 +1,15 @@ +kdepim (4:16.04.3-4~deb9u2) stretch; urgency=high + + * Team upload. + + [ Sandro Knauß ] + * Limit CVE-2017-17689 (EFAIL) for kmail (Closes: #899128) +- Added upstream patch (modified to apply) + upstream-Distinguish-between-settings-and-explicit-overrides-.patch +- Update dependendy against kf5-messagelib + + -- Sandro Knauß Sat, 19 May 2018 19:11:15 +0200 + kdepim (4:16.04.3-4~deb9u1) stretch; urgency=high * Team upload. diff -Nru kdepim-16.04.3/debian/control kdepim-16.04.3/debian/control --- kdepim-16.04.3/debian/control 2017-06-17 12:12:03.0 +0200 +++ kdepim-16.04.3/debian/control 2018-05-19 18:21:40.0 +0200 @@ -73,7 +73,7 @@ libkf5messagecomposer-dev, libkf5messagecore-dev (>= 5.2.0~), libkf5messagelist-dev, - libkf5messageviewer-dev (>= 5.2.0~), + libkf5messageviewer-dev (>= 4:16.04.3-3~deb9u2), libkf5mime-dev (>= 15.12~), libkf5newstuff-dev (>= 5.19.0~), libkf5notifyconfig-dev (>= 5.19.0~), diff -Nru kdepim-16.04.3/debian/patches/series kdepim-16.04.3/debian/patches/series --- kdepim-16.04.3/debian/patches/series 2017-06-17 12:12:03.0 +0200 +++ kdepim-16.04.3/debian/patches/series 2018-05-19 17:49:42.0 +0200 @@ -5,3 +5,4 @@ fix_crash_when_a_second_instance_of_KAlarm_is_started.patch konsolekalendar_help.patch fix-CVE-2017-9604.patch +upstream-Distinguish-between-settings-and-explicit-overrides-.patch diff -Nru kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch --- kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch 1970-01-01 01:00:00.0 +0100 +++ kdepim-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-overrides-.patch 2018-05-19 18:18:28.0 +0200 @@ -0,0 +1,115 @@ +From 88558f6273650a03d2828027e04116564ca18f20 Mon Sep 17 00:00:00 2001 +From: Volker Krause +Date: Thu, 26 Apr 2018 18:44:24 +0200 +Subject: [PATCH 3/9] Distinguish between settings and explicit overrides for + external content + +Summary: See D12391 and D12393 in messagelib. + +Reviewers: mlaurent, dvratil, knauss + +Reviewed By: knauss + +Subscribers: #kde_pim + +Tags: #kde_pim + +Differential Revision: https://phabricator.kde.org/D12394 +--- + kmail/kmmainwidget.cpp| 6 +++--- + kmail/kmreadermainwin.cpp | 4 ++-- + kmail/kmreadermainwin.h | 2 +- + kmail/kmreaderwin.cpp | 9 +++-- + kmail/kmreaderwin.h | 3 ++- + 5 files changed, 15 insertions(+), 9 deletions(-) + +--- a/kmail/kmmainwidget.cpp b/kmail/kmmainwidget.cpp +@@ -513,7 +513,7 @@ void KMMainWidget::folderSelected(const + readFolderConfig(); + if (mMsgView) { + mMsgView->setDisplayFormatMessageOverwrite(mFolderDisplayFormatPreference); +-mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference); ++mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference); + } + + if (!mCurrentFolder->isValid() && (mMessagePane->count() < 2)) { +@@ -1593,7 +1593,7 @@ void KMMainWidget::slotOverrideHtmlLoadE + mFolderHtmlLoadExtPreference = !mFolderHtmlLoadExtPreference; + + if (mMsgView) { +-mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference); ++mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference); + mMsgView->update(true); + } + } +@@ -4391,7 +4391,7 @@ void KMMainWidget::itemsReceived(const A + mMsgView->setMessage(copyItem); + // reset HTML override to the folder setting + mMsgView->setDisplayFormatMessageOverwrite(mFolderDisplayFormatPreference); +-mMsgView->setHtmlLoadExtOverride(mFolderHtmlLoadExtPreference); ++mMsgView->setHtmlLoadExtDefault(mFolderHtmlLoadExtPreference); + mMsgView->setDecryptMessageOverwrite(false); + mMsgActions->setCurrentMessage(copyItem); + } +--- a/kmail/kmreadermainwin.cpp b/kmail/kmreadermainwin.cpp +@@ -72,14 +72,14 @@ + + using namespace MailCommon; + +-KMReaderMainWin::KMReaderMainWin(MessageViewer::Viewer::DisplayFormatMessage format, bool htmlLoadExtOverride, ++KMReaderMainWin::KMReaderMainWin(MessageViewer::Viewer::DisplayFormatMessage format, bool htmlLoadExtDefault, + char *name) + : KMail::SecondaryWindow(name ? name : "readerwindow#") + { + mReaderWin = new KMReaderWin(this, this, actionCollection()); + //mReaderWin->setShowCompleteMessage( true ); +