Bug 19533

Summary: kmail (kdepimlibs4) new security issues fixed upstream (CVE-2016-7966)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, mageia, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/703104/
See Also: https://bugs.mageia.org/show_bug.cgi?id=21100
Whiteboard: MGA5-64-OK advisory
Source RPM: kdepimlibs4-4.14.5-1.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 17123    
Bug Blocks:    

Description David Walser 2016-10-05 00:43:49 CEST 
CVEs have been requested for security issues fixed upstream in kmail:
http://openwall.com/lists/oss-security/2016/10/04/8

The titles of the commits to fix them are listed, but no links are provided.
David Walser 2016-10-05 00:43:57 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-10-05 12:20:27 CEST 
CVE-2016-796[6-8]:
http://www.openwall.com/lists/oss-security/2016/10/05/1

Summary: kmail (kdepim4, kdepim) new security issues fixed upstream => kmail (kdepim4, kdepim) new security issues fixed upstream (CVE-2016-796[6-8])

David Walser 2016-10-11 14:25:16 CEST

URL: (none) => http://lwn.net/Vulnerabilities/703104/

Comment 2 David Walser 2016-10-11 14:25:42 CEST 
Upstream advisory:
https://www.kde.org/info/security/advisory-20161006-1.txt
Comment 3 David Walser 2016-10-11 14:26:10 CEST 
LWN reference for the other two CVEs:
http://lwn.net/Vulnerabilities/703105/
Nicolas Lécureuil 2016-12-30 23:14:09 CET

CC: (none) => mageia
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2016-12-30 23:25:46 CET 
Unless I missed something, the patch for kdepimlibs4 still needs to be applied in Cauldron.

Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO

David Walser 2016-12-30 23:28:25 CET

Summary: kmail (kdepim4, kdepim) new security issues fixed upstream (CVE-2016-796[6-8]) => kmail (kdepimlibs4) new security issues fixed upstream (CVE-2016-7966)
Source RPM: kdepim4-4.14.5-1.mga5.src.rpm, kdepim-16.08.1-5.mga6.src.rpm => kdepimlibs4-4.14.5-1.mga5.src.rpm

Comment 5 David Walser 2016-12-30 23:31:06 CET 
Unfortunately the git commit link from the upstream advisory no longer works.
Comment 7 David Walser 2016-12-30 23:36:24 CET 
kdepimlibs4-4.14.10-14.mga6 submitted for Cauldron with the fix.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

David Walser 2016-12-30 23:40:33 CET

Depends on: (none) => 17123

Comment 8 David Walser 2017-07-01 21:03:21 CEST 
Fedora has issued an advisory for CVE-2016-7968 on June 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C5TGECM37KQEMCLQKNCGQDAOTJOSEZGH/
David Walser 2017-07-02 16:36:13 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21100

Comment 9 David Walser 2017-08-25 00:38:16 CEST 
(In reply to David Walser from comment #8)
> Fedora has issued an advisory for CVE-2016-7968 on June 26:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/C5TGECM37KQEMCLQKNCGQDAOTJOSEZGH/

I believe we've fixed CVE-2016-7966 with:
http://advisories.mageia.org/MGAA-2017-0066.html

but I think we may still need to address the above issue from Comment 8.
Comment 10 Nicolas Lécureuil 2017-08-25 02:21:11 CEST 
I synced our kdepimlibs with upstream 4.14 branch which added a lot of fixes ( 35 

see : https://cgit.kde.org/kdepimlibs.git/log/?h=KDE/4.14


fixes this bug and add more fixes.


src.rpm:
        kdepimlibs4-4.14.10-2.2.mga5
        kdepim4-4.14.10-1.2.mga5
        kdepim4-runtime-4.14.10-2.1.mga5
        akonadi-1.13.0-4.1.mga5
Comment 11 Nicolas Lécureuil 2017-08-25 09:13:07 CEST 
(In reply to David Walser from comment #9)
> (In reply to David Walser from comment #8)
> > Fedora has issued an advisory for CVE-2016-7968 on June 26:
> > https://lists.fedoraproject.org/archives/list/package-announce@lists.
> > fedoraproject.org/thread/C5TGECM37KQEMCLQKNCGQDAOTJOSEZGH/
> 
> I believe we've fixed CVE-2016-7966 with:
> http://advisories.mageia.org/MGAA-2017-0066.html
> 
> but I think we may still need to address the above issue from Comment 8.

patch added on the svn.

I will upload soon
Comment 12 Nicolas Lécureuil 2017-08-25 09:20:42 CEST 
Pushed in updates_testing among other fixes:

src.rpm:
        kdepimlibs4-4.14.10-2.2.mga5
        kdepim4-4.14.10-1.3.mga5
        kdepim4-runtime-4.14.10-2.1.mga5
        akonadi-1.13.0-4.1.mga5
Nicolas Lécureuil 2017-08-25 09:56:58 CEST

Assignee: kde => qa-bugs

Comment 13 David Walser 2017-08-25 12:10:21 CEST 
Advisory:
----------------------------------------

The kdepimlibs4, kdepim4, kdepim4-runtime, and akonadi packages have been
updated to include the latest bug fixes from upstream.  This includes a fix
for an issue where the Send Later function in kmail would cause an e-mail that
had been designated to be sent encrypted would be sent in plain text instead.

References:
https://cgit.kde.org/kdepimlibs.git/log/?h=KDE/4.14
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C5TGECM37KQEMCLQKNCGQDAOTJOSEZGH/
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
kdepim4-4.14.10-1.3.mga5
kdepim4-core-4.14.10-1.3.mga5
libmailimporter4-4.14.10-1.3.mga5
libkaddressbookprivate4-4.14.10-1.3.mga5
libkontactprivate4-4.14.10-1.3.mga5
libkorganizer_core4-4.14.10-1.3.mga5
libkdepim4-4.14.10-1.3.mga5
libkpgp4-4.14.10-1.3.mga5
kleopatra-4.14.10-1.3.mga5
kleopatra-handbook-4.14.10-1.3.mga5
libksieve4-4.14.10-1.3.mga5
libakregatorinterfaces4-4.14.10-1.3.mga5
libakregatorprivate4-4.14.10-1.3.mga5
akregator-4.14.10-1.3.mga5
akregator-handbook-4.14.10-1.3.mga5
libknodecommon4-4.14.10-1.3.mga5
knode-4.14.10-1.3.mga5
knode-handbook-4.14.10-1.3.mga5
kaddressbook-4.14.10-1.3.mga5
kaddressbook-handbook-4.14.10-1.3.mga5
blogilo-4.14.10-1.3.mga5
blogilo-handbook-4.14.10-1.3.mga5
libmessagecore4-4.14.10-1.3.mga5
kalarm-4.14.10-1.3.mga5
kalarm-handbook-4.14.10-1.3.mga5
ktimetracker-4.14.10-1.3.mga5
ktimetracker-handbook-4.14.10-1.3.mga5
libkmailprivate4-4.14.10-1.3.mga5
kmail-4.14.10-1.3.mga5
kmail-handbook-4.14.10-1.3.mga5
ktnef-4.14.10-1.3.mga5
ktnef-handbook-4.14.10-1.3.mga5
messageviewer-4.14.10-1.3.mga5
kincidenceeditor-4.14.10-1.3.mga5
kmailcvt-4.14.10-1.3.mga5
knotes-4.14.10-1.3.mga5
knotes-handbook-4.14.10-1.3.mga5
kontact-4.14.10-1.3.mga5
kontact-handbook-4.14.10-1.3.mga5
libkorganizer_interfaces4-4.14.10-1.3.mga5
korganizer-4.14.10-1.3.mga5
korganizer-handbook-4.14.10-1.3.mga5
libkorganizerprivate4-4.14.10-1.3.mga5
libmessagelist4-4.14.10-1.3.mga5
libkcal_resourceblog4-4.14.10-1.3.mga5
libkcal_resourceremote4-4.14.10-1.3.mga5
libkleopatraclientcore0-4.14.10-1.3.mga5
libkleo4-4.14.10-1.3.mga5
kdepim4-kresources-4.14.10-1.3.mga5
kjots-4.14.10-1.3.mga5
kjots-handbook-4.14.10-1.3.mga5
ksendemail-4.14.10-1.3.mga5
akonadiconsole-4.14.10-1.3.mga5
libcalendarsupport4-4.14.10-1.3.mga5
libcalendarsupportcollectionpage4-4.14.10-1.3.mga5
libeventviews4-4.14.10-1.3.mga5
libincidenceeditorsng4-4.14.10-1.3.mga5
libincidenceeditorsngmobile4-4.14.10-1.3.mga5
libkdepimdbusinterfaces4-4.14.10-1.3.mga5
libkdgantt20-4.14.10-1.3.mga5
libkleopatraclientgui0-4.14.10-1.3.mga5
libkmanagesieve4-4.14.10-1.3.mga5
libksieveui4-4.14.10-1.3.mga5
libmailcommon4-4.14.10-1.3.mga5
libmessageviewer4-4.14.10-1.3.mga5
libmessagecomposer4-4.14.10-1.3.mga5
libtemplateparser4-4.14.10-1.3.mga5
libsendlater4-4.14.10-1.3.mga5
libfollowupreminder4-4.14.10-1.3.mga5
libakonadi-next4-4.14.10-1.3.mga5
libpimcommon4-4.14.10-1.3.mga5
libcomposereditorng4-4.14.10-1.3.mga5
libgrantleetheme4-4.14.10-1.3.mga5
libgrantleethemeeditor4-4.14.10-1.3.mga5
libkaddressbookgrantlee4-4.14.10-1.3.mga5
libknotesprivate4-4.14.10-1.3.mga5
libnoteshared4-4.14.10-1.3.mga5
libpimsettingexporterprivate4-4.14.10-1.3.mga5
kdepim4-devel-4.14.10-1.3.mga5
kdepimlibs4-core-4.14.10-2.2.mga5
kdepimlibs4-handbooks-4.14.10-2.2.mga5
kio4-imap-4.14.10-2.2.mga5
kio4-pop3-4.14.10-2.2.mga5
kio4-ldap-4.14.10-2.2.mga5
kio4-sieve-4.14.10-2.2.mga5
kio4-mbox-4.14.10-2.2.mga5
kio4-smtp-4.14.10-2.2.mga5
kio4-nntp-4.14.10-2.2.mga5
libkabc4-4.14.10-2.2.mga5
libkblog4-4.14.10-2.2.mga5
libkabc_file_core4-4.14.10-2.2.mga5
libkcal4-4.14.10-2.2.mga5
libkimap4-4.14.10-2.2.mga5
libkldap4-4.14.10-2.2.mga5
libkmbox4-4.14.10-2.2.mga5
libkmime4-4.14.10-2.2.mga5
libkpimutils4-4.14.10-2.2.mga5
libkresources4-4.14.10-2.2.mga5
libktnef4-4.14.10-2.2.mga5
libkxmlrpcclient4-4.14.10-2.2.mga5
libmailtransport4-4.14.10-2.2.mga5
libsyndication4-4.14.10-2.2.mga5
libqgpgme1-4.14.10-2.2.mga5
libgpgme++2-4.14.10-2.2.mga5
libkpimidentities4-4.14.10-2.2.mga5
libakonadi-kde4-4.14.10-2.2.mga5
libakonadi-kabc4-4.14.10-2.2.mga5
libakonadi-kmime4-4.14.10-2.2.mga5
libakonadi-notes4-4.14.10-2.2.mga5
libkalarmcal2-4.14.10-2.2.mga5
libkholidays4-4.14.10-2.2.mga5
libkpimtextedit4-4.14.10-2.2.mga5
libmicroblog4-4.14.10-2.2.mga5
libakonadi-contact4-4.14.10-2.2.mga5
libakonadi-kcal4-4.14.10-2.2.mga5
libkontactinterface4-4.14.10-2.2.mga5
libakonadi-calendar4-4.14.10-2.2.mga5
libakonadi_socialutils4-4.14.10-2.2.mga5
libkcalcore4-4.14.10-2.2.mga5
libkcalutils4-4.14.10-2.2.mga5
libakonadi-xml4-4.14.10-2.2.mga5
kdepimlibs4-devel-4.14.10-2.2.mga5
akonadi-kde-4.14.10-2.1.mga5
libkdepim-copy4-4.14.10-2.1.mga5
libmaildir4-4.14.10-2.1.mga5
libakonadi-filestore4-4.14.10-2.1.mga5
libkmindexreader4-4.14.10-2.1.mga5
libfolderarchivesettings4-4.14.10-2.1.mga5
kdepim4-runtime-devel-4.14.10-2.1.mga5
akonadi-1.13.0-4.1.mga5
libakonadiprotocolinternals1-1.13.0-4.1.mga5
libakonadi-devel-1.13.0-4.1.mga5

from SRPMS:
kdepimlibs4-4.14.10-2.2.mga5.src.rpm
kdepim4-4.14.10-1.3.mga5.src.rpm
kdepim4-runtime-4.14.10-2.1.mga5.src.rpm
akonadi-1.13.0-4.1.mga5.src.rpm
Comment 14 PC LX 2017-08-27 17:30:58 CEST 
Installed and tested without issues.

Have been using, like usual, the updated kontact, akonadi, kmail, akregator, korganizer, akregator, etc for the last two days without issues.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU with proprietary driver nvidia340.

$ LANGUAGE=C ; for U in $(cat packages.txt) ; do rpm -q "$U" ; done | grep -v "not installed" 
kdepim4-4.14.10-1.3.mga5
kdepim4-core-4.14.10-1.3.mga5
kleopatra-4.14.10-1.3.mga5
kleopatra-handbook-4.14.10-1.3.mga5
akregator-4.14.10-1.3.mga5
akregator-handbook-4.14.10-1.3.mga5
knode-4.14.10-1.3.mga5
knode-handbook-4.14.10-1.3.mga5
kaddressbook-4.14.10-1.3.mga5
kaddressbook-handbook-4.14.10-1.3.mga5
blogilo-4.14.10-1.3.mga5
blogilo-handbook-4.14.10-1.3.mga5
kalarm-4.14.10-1.3.mga5
kalarm-handbook-4.14.10-1.3.mga5
ktimetracker-4.14.10-1.3.mga5
ktimetracker-handbook-4.14.10-1.3.mga5
kmail-4.14.10-1.3.mga5
kmail-handbook-4.14.10-1.3.mga5
messageviewer-4.14.10-1.3.mga5
kmailcvt-4.14.10-1.3.mga5
knotes-4.14.10-1.3.mga5
knotes-handbook-4.14.10-1.3.mga5
kontact-4.14.10-1.3.mga5
kontact-handbook-4.14.10-1.3.mga5
korganizer-4.14.10-1.3.mga5
korganizer-handbook-4.14.10-1.3.mga5
kdepim4-kresources-4.14.10-1.3.mga5
ksendemail-4.14.10-1.3.mga5
kdepimlibs4-core-4.14.10-2.2.mga5
kdepimlibs4-handbooks-4.14.10-2.2.mga5
kio4-imap-4.14.10-2.2.mga5
kio4-pop3-4.14.10-2.2.mga5
kio4-ldap-4.14.10-2.2.mga5
kio4-sieve-4.14.10-2.2.mga5
kio4-mbox-4.14.10-2.2.mga5
kio4-smtp-4.14.10-2.2.mga5
kio4-nntp-4.14.10-2.2.mga5
kdepimlibs4-devel-4.14.10-2.2.mga5
akonadi-kde-4.14.10-2.1.mga5
akonadi-1.13.0-4.1.mga5

CC: (none) => mageia
Whiteboard: (none) => MGA5-64-OK

Comment 15 Lewis Smith 2017-08-27 20:42:15 CEST 
@ PC_LX : thanks yet again for a thorough test.
Advisory from Comment 13 uploaded.
Validating as this is Mageia 5 only with a good 64-bit OK.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 16 Mageia Robot 2017-08-28 10:15:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0315.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED