Ubuntu
kdepim package

[CVE] Send Later with Delay bypasses OpenPGP

Bug #1698180 reported by wens on 2017-06-15

272

This bug affects 2 people

	Status	Importance	Assigned to
kdepim (Ubuntu)	Invalid	High	Unassigned
Trusty	Fix Released	High	Simon Quigley
Xenial	Fix Released	High	Simon Quigley
kf5-messagelib (Ubuntu)	Fix Released	High	Simon Quigley
kmail (Ubuntu)	Fix Released	Undecided	Simon Quigley

Bug Description

KDE Project Security Advisory
=============================

Title: KMail: Send Later with Delay bypasses OpenPGP
Risk Rating: Medium
CVE: CVE-2017-9604
Versions: kmail, messagelib < 5.5.2
Date: 15 June 2017

Overview
========
KMail’s Send Later with Delay function bypasses OpenPGP signing and
encryption, causing the message to be sent unsigned and in plain-text.

Solution
========
Update to kmail, messagelib >= 5.5.2 (Released as part of KDE Applications 17.04.2)

Or apply the following patches:
kmail: https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8
messagelib: https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197

Credits
=======
Thanks to Daniel Aleksandersen for the report and to Laurent Montel for the fix.

CVE References

2017-9604

wens (alex-volegov) on 2017-06-15

information type:

Private Security → Public Security

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-06-16:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in kdepim (Ubuntu):
status:	New → Incomplete
Changed in kmail (Ubuntu):
status:	New → Incomplete

Revision history for this message

Rik Mills (rikmills) wrote on 2017-06-16: Re: Send Later with Delay bypasses OpenPGP

Luca Beltrame from opensuse & KDE kidly pointed out the following patches that have been applied and backported there for their currently shipped versions. Some may either apply here, or be adaptable if not.

For PIM 4.14

https://build.opensuse.org/package/view_file/home:luca_b:422pimfix/kdepim4.openSUSE_Leap_42.2_Update/use-plugin-for-sendlater.patch?expand=1

https://build.opensuse.org/package/view_file/home:luca_b:422pimfix/kdepim4.openSUSE_Leap_42.2_Update/also-encrypt-when-sending-later-cve-2017-9604.patch

For 16.08 which we do not have, but may be in whole or part applicable to PIM 16.12 or 16.04 packages.

https://build.opensuse.org/package/view_file/home:luca_b:422pimfix/kdepim.openSUSE_Leap_42.2_Update/use-plugin-for-sendlater.patch?expand=1

https://build.opensuse.org/package/view_file/home:luca_b:422pimfix/messagelib.openSUSE_Leap_42.2_Update/also-encrypt-when-sending-later-cve-2017-9604.patch?expand=1

Vej (vej) on 2017-07-02

Changed in kdepim (Ubuntu):
importance:	Undecided → High
Changed in kmail (Ubuntu):
importance:	Undecided → High

Simon Quigley (tsimonq2) on 2017-08-12

Changed in kdepim (Ubuntu):
status:	Incomplete → In Progress
assignee:	nobody → Simon Quigley (tsimonq2)
Changed in kmail (Ubuntu):
status:	Incomplete → In Progress
assignee:	nobody → Simon Quigley (tsimonq2)

Rik Mills (rikmills) on 2017-08-12

Changed in kdepim (Ubuntu Trusty):
importance:	Undecided → High
Changed in kdepim (Ubuntu Xenial):
importance:	Undecided → High
Changed in kdepim (Ubuntu Zesty):
importance:	Undecided → High
Changed in kmail (Ubuntu Trusty):
importance:	Undecided → High
Changed in kmail (Ubuntu Xenial):
importance:	Undecided → High
Changed in kmail (Ubuntu Zesty):
importance:	Undecided → High

Rik Mills (rikmills) on 2017-08-12

no longer affects:	kmail (Ubuntu)
no longer affects:	kmail (Ubuntu Trusty)
no longer affects:	kmail (Ubuntu Xenial)
no longer affects:	kmail (Ubuntu Zesty)
no longer affects:	kmail (Ubuntu Artful)

Rik Mills (rikmills) on 2017-08-12

Changed in kf5-messagelib (Ubuntu):
importance:	Undecided → High

Simon Quigley (tsimonq2) on 2017-08-12

Changed in kf5-messagelib (Ubuntu):
status:	New → In Progress
assignee:	nobody → Simon Quigley (tsimonq2)

Simon Quigley (tsimonq2) on 2017-08-12

summary:	- Send Later with Delay bypasses OpenPGP + [CVE] Send Later with Delay bypasses OpenPGP
Changed in kmail (Ubuntu):
assignee:	nobody → Simon Quigley (tsimonq2)
status:	New → In Progress

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2017-08-22:

kdepim no longer exists in Artful, and fixes are in artful-proposed for kmail and kf5-messagelib (it's part of the new upstream release).

Changed in kdepim (Ubuntu Artful):
status:	In Progress → Fix Committed
status:	Fix Committed → Invalid
assignee:	Simon Quigley (tsimonq2) → nobody
Changed in kf5-messagelib (Ubuntu):
status:	In Progress → Fix Committed
Changed in kmail (Ubuntu):
status:	In Progress → Fix Committed

Simon Quigley (tsimonq2) on 2017-09-16

Changed in kf5-messagelib (Ubuntu):
status:	Fix Committed → Fix Released
Changed in kmail (Ubuntu):
status:	Fix Committed → Fix Released

Simon Quigley (tsimonq2) on 2018-03-21

no longer affects:	kdepim (Ubuntu Artful)
no longer affects:	kdepim (Ubuntu Zesty)
Changed in kdepim (Ubuntu Trusty):
assignee:	nobody → Simon Quigley (tsimonq2)
Changed in kdepim (Ubuntu Xenial):
assignee:	nobody → Simon Quigley (tsimonq2)
Changed in kdepim (Ubuntu Trusty):
status:	New → Confirmed
Changed in kdepim (Ubuntu Xenial):
status:	New → Confirmed

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2018-03-25:

I have uploaded these fixes (for Xenial and Trusty) to a fresh test PPA of mine with all architectures switched on and only the security repo enabled. I then tested both in VMs of each release, and they work as intended. It also fixes the security issue.

Security Team, feel free to copy my packages to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8878568/+listing-archive-extra
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8878391/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Please sponsor each to go into Ubuntu.

Thanks.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-03-26:

This bug was fixed in the package kdepim - 4:15.12.3-0ubuntu1.1

---------------
kdepim (4:15.12.3-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Send Later with Delay bypasses OpenPGP (LP: #1698180):
    - fix-CVE-2017-9604.patch
    - CVE-2017-9604

-- Simon Quigley <email address hidden> Sun, 25 Mar 2018 07:38:25 -0500

Changed in kdepim (Ubuntu Xenial):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-03-26:

This bug was fixed in the package kdepim - 4:4.13.3-0ubuntu0.2

---------------
kdepim (4:4.13.3-0ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Send Later with Delay bypasses OpenPGP (LP: #1698180):
    - fix-CVE-2017-9604.patch
    - CVE-2017-9604

-- Simon Quigley <email address hidden> Sun, 25 Mar 2018 11:02:11 -0500

Changed in kdepim (Ubuntu Trusty):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntukdepim package

[CVE] Send Later with Delay bypasses OpenPGP

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
kdepim package