https://bugs.kde.org/show_bug.cgi?id=404698
sam zain changed:
What|Removed |Added
CC||omarande...@gmail.com
--- Comment #25 from sam zain
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #24 from Sandro Knauß ---
(In reply to beuc from comment #23)
> I wrote something cruder but that works with the 404698-* messagelib test
> cases:
> https://www.beuc.net/tmp/kdepim-CVE-2019-10732.patch
> This should be a good compromise,
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #23 from b...@beuc.net ---
I wrote something cruder but that works with the 404698-* messagelib test
cases:
https://www.beuc.net/tmp/kdepim-CVE-2019-10732.patch
This should be a good compromise, let me know if I missed something.
I plan to
https://bugs.kde.org/show_bug.cgi?id=404698
b...@beuc.net changed:
What|Removed |Added
CC||b...@beuc.net
--- Comment #22 from
https://bugs.kde.org/show_bug.cgi?id=404698
Sandro Knauß changed:
What|Removed |Added
Version Fixed In||5.11.2
Latest
https://bugs.kde.org/show_bug.cgi?id=404698
Sandro Knauß changed:
What|Removed |Added
Latest Commit|https://commits.kde.org/mes |https://commits.kde.org/mes
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #18 from Sandro Knauß ---
Created attachment 120026
--> https://bugs.kde.org/attachment.cgi?id=120026=edit
html mail with two images embeded.
There is one question, how we should handle forwards with embedded images.
We have a testcase
https://bugs.kde.org/show_bug.cgi?id=404698
Sandro Knauß changed:
What|Removed |Added
Resolution|--- |FIXED
Status|CONFIRMED
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #16 from Sandro Knauß ---
(In reply to Jens Mueller from comment #15)
> @David: This would mean if you attach a non-encrypted image to an
> encrypted...
>
> Absolutely, such an email could not be decrypted anymore if you follow our
>
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #15 from Jens Mueller ---
@David: This would mean if you attach a non-encrypted image to an encrypted...
Absolutely, such an email could not be decrypted anymore if you follow our
suggestions (or had to be manually decrypted on the command
https://bugs.kde.org/show_bug.cgi?id=404698
Jens Mueller changed:
What|Removed |Added
Version|5.10.3 |unspecified
--
You are receiving this mail
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #14 from Sandro Knauß ---
(In reply to David Faure from comment #11)
> - Preventing KMail from *sending* such messages would obviously be no help
> (one could just craft that message by hand or using another email client).
ACK.
> -
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #13 from Sandro Knauß ---
@Jens: what version did you test? You set "Debian Stable" and "5.10.3" this
does not match. Debian stable has 16.04.3 aka 5.2.3.
I now started to look into the issue, but I can't reproduce it with the
attached
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #12 from David Faure ---
About the original suggestion: "Do not decrypt emails unless the PGP or S/MIME
encrypted part is the root node -- and therefore the only part -- in the MIME
tree (exception: multipart/signed for
https://bugs.kde.org/show_bug.cgi?id=404698
David Faure changed:
What|Removed |Added
CC||fa...@kde.org
--- Comment #11 from David Faure
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #10 from Jens Mueller ---
Update: Here's a full (public) report on the issue:
https://arxiv.org/ftp/arxiv/papers/1904/1904.07550.pdf
For KMail, CVE-2019-10732 was assigned for reply-based `decryption oracles`.
--
You are receiving this
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #9 from Jens Mueller ---
Imho, there are no legitimate use cases for `partial encryption` in S/MIME and
PGP/MIME, but it's hard to measure if such emails do exist in the wild. In case
of PGP/Inline, unfortunately, every part is encrypted
https://bugs.kde.org/show_bug.cgi?id=404698
Albert Astals Cid changed:
What|Removed |Added
CC||mon...@kde.org
--- Comment #8 from Albert
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #7 from Jens Mueller ---
Exactly that's the problem. Note that not only one message, but hundreds of
captured messages can be wrapped and leaked with one single reply.
Traditional message takeover attacks under a new identity (C) are
https://bugs.kde.org/show_bug.cgi?id=404698
Albert Astals Cid changed:
What|Removed |Added
CC||aa...@kde.org
--- Comment #6 from Albert
https://bugs.kde.org/show_bug.cgi?id=404698
Michael Palimaka changed:
What|Removed |Added
CC||kensing...@gentoo.org
--
You are receiving
https://bugs.kde.org/show_bug.cgi?id=404698
andreas.sturmlech...@gmail.com changed:
What|Removed |Added
CC||andreas.sturmlechner@gmail.
https://bugs.kde.org/show_bug.cgi?id=404698
Rex Dieter changed:
What|Removed |Added
CC||rdie...@gmail.com
--
You are receiving this mail
https://bugs.kde.org/show_bug.cgi?id=404698
Sandro Knauß changed:
What|Removed |Added
Status|REPORTED|CONFIRMED
CC|
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #4 from Jens Mueller ---
Things may have changed in the meantime, but for the version we tested
(v5.2.3), there is no need to click on "Decrypt Message". While the plaintext
is not shown to the user, if he does not explicitly click "Decrypt
https://bugs.kde.org/show_bug.cgi?id=404698
Nate Graham changed:
What|Removed |Added
CC||n...@kde.org
--
You are receiving this mail
https://bugs.kde.org/show_bug.cgi?id=404698
Daniel Vrátil changed:
What|Removed |Added
CC||dvra...@kde.org
--- Comment #3 from Daniel
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #1 from Jens Mueller ---
Created attachment 118288
--> https://bugs.kde.org/attachment.cgi?id=118288=edit
Proof-of-concept PGP
--
You are receiving this mail because:
You are watching all bug changes.
https://bugs.kde.org/show_bug.cgi?id=404698
--- Comment #2 from Jens Mueller ---
Created attachment 118289
--> https://bugs.kde.org/attachment.cgi?id=118289=edit
Proof-of-concept S/MIME
--
You are receiving this mail because:
You are watching all bug changes.
29 matches
Mail list logo
