Bug 28260

Summary: messagelib new security issue CVE-2019-10732
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: messagelib-19.04.0-1.mga7.src.rpm CVE: CVE-2019-10732
Status comment:

Comment 1 Nicolas Lécureuil 2021-01-30 18:20:49 CET 
link to the upstream commit : https://github.com/KDE/messagelib/commit/8f9b85b664be0987014c5d2485e706ab5a198e1b

CC: (none) => mageia

Comment 2 David GEIGER 2021-01-31 05:57:30 CET 
The real commit is this one https://github.com/KDE/messagelib/commit/a58286aec8f300d78c570726924baa91d9a22771

CC: (none) => geiger.david68210

Comment 3 David GEIGER 2021-01-31 06:14:43 CET 
Done for mga7!
Comment 4 David Walser 2021-01-31 07:51:40 CET 
Advisory:
========================

Updated messagelib packages fix security vulnerability:

In KDE KMail, an attacker in possession of S/MIME or PGP encrypted emails can
wrap them as sub-parts within a crafted multipart email. The encrypted part(s)
can further be hidden using HTML/CSS or ASCII newline characters. This modified
multipart email can be re-sent by the attacker to the intended receiver. If the
receiver replies to this (benign looking) email, they unknowingly leak the
plaintext of the encrypted message part(s) back to the attacker
(CVE-2019-10732).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10732
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIP7JD6E7AKTOSG2IAFVY4AE7G4NZIKB/
========================

Updated packages in core/updates_testing:
========================
messagelib-19.04.0-1.1.mga7
libkf5messagecomposer5-19.04.0-1.1.mga7
libkf5messagecore5-19.04.0-1.1.mga7
libkf5messagelist5-19.04.0-1.1.mga7
libkf5messageviewer5-19.04.0-1.1.mga7
libkf5templateparser5-19.04.0-1.1.mga7
libkf5mimetreeparser5-19.04.0-1.1.mga7
libkf5webengineviewer5-19.04.0-1.1.mga7
libkf5messagelib-devel-19.04.0-1.1.mga7

from messagelib-19.04.0-1.1.mga7.src.rpm

Assignee: kde => qa-bugs

Comment 5 Nicolas Lécureuil 2021-01-31 12:03:07 CET 
david are you sure ? this is not what is written here: https://security-tracker.debian.org/tracker/CVE-2019-10732
Comment 6 David GEIGER 2021-01-31 15:04:53 CET 
Yes sure, see https://github.com/KDE/messagelib/commits/Applications/19.04

Commits on May 12, 2019

- Merge branch 'CVE-2019-10732' into Applications/19.04
Comment 7 David Walser 2021-01-31 16:36:38 CET 
If you look ar the patch, it's actually multiple commits.
Comment 8 Aurelien Oudelet 2021-02-04 09:43:27 CET 
PoC in upstream Github.

On MGA7 Plasma x86_64.
KMail already set up.

Sending to myself an encrypted mail (Use 2 email accounts) from KMail with account 1.

Use Thunderbird (which has not the private Key from account 1) to resend this encrypted mail as attachment to me with account 2 to account 1.

In KMail, see the message from Thunderbird with encrypted mail as attachment.
Use reply in KMail to account 2.
On Thunderbird (account 2): see previously encrypted attached mail as decrypted!


Using QA Repo 
Use new mail. Send crypted and signed emails. OK
Basic functionality is same.

Redo above test.
At final, the previously encrypted attached mail is still encrypted.

Give this an OK. MGA7-64-OK
Validating
Advisory pushed to SVN.

Whiteboard: (none) => MGA7-64-OK
CVE: (none) => CVE-2019-10732
CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 9 Mageia Robot 2021-02-04 14:41:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0067.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED