[Secure-testing-team] Bug#864803: CVE-2017-9604: Send Later with Delay bypasses OpenPGP
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 15 05:40:10 UTC 2017
Source: kf5-messagelib
Version: 4:16.04.3-2
Severity: important
Tags: patch upstream security
Control: clone -1 -2
Control: reassign -2 kdepim 4:4.14.1-1
Hi,
the following vulnerability was published for kf5-messagelib (and
kmail).
CVE-2017-9604[0]:
| KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in
| KDE Applications before 17.04.2, do not ensure that a plugin's
| sign/encrypt action occurs during use of the Send Later feature, which
| allows remote attackers to obtain sensitive information by sniffing the
| network.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9604
[1] https://www.kde.org/info/security/advisory-20170615-1.txt
Looking at the patchset I see it would apply as well to
kdepim/4:4.14.1-1 to some extend. I though have some difficulties to
correctly classify not knowing this Send Later feature. Can you please
double check the above.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list