Bug 28861

Summary: messagelib new security issue CVE-2021-31855
Product: Mageia Reporter: Aurelien Oudelet <ouaurelien>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://kde.org/info/security/advisory-20210429-1.txt
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: messagelib-20.12.0-1.mga8.src.rpm CVE: CVE-2021-31855
Status comment:

Description Aurelien Oudelet 2021-04-30 17:07:27 CEST 
KDE has issued an advisory on April 29 2021:
https://kde.org/info/security/advisory-20210429-1.txt

Cauldron fixed by David G.

Mageia 8 and 7 also affected.
Comment 1 Aurelien Oudelet 2021-04-30 17:09:39 CEST 
Assigning to KDE maintainers.

Version: Cauldron => 8
Status comment: (none) => Fix here: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799
Assignee: bugsquad => kde

Comment 2 David GEIGER 2021-05-01 07:03:34 CEST 
Done for both mga7 and mga8!

CC: (none) => geiger.david68210

Comment 3 Nicolas Lécureuil 2021-05-02 00:37:26 CEST 
assigning to QA then

CC: (none) => mageia
Assignee: kde => qa-bugs

Comment 4 Aurelien Oudelet 2021-05-02 18:57:49 CEST 
Advisory:
========================

Updated messagelib packages fix security vulnerability:

Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g. an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. This is not easily noticeable by the user because KMail does not display the decrypted content.

With a specially crafted message a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker could read the decrypted content of the encrypted message.

References:
https://bugs.mageia.org/show_bug.cgi?id=28861
https://kde.org/info/security/advisory-20210429-1.txt
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)kf5messagecomposer5-19.04.0-1.2.mga7
lib(64)kf5messagecore5-19.04.0-1.2.mga7
lib(64)kf5messagelib-devel-19.04.0-1.2.mga7
lib(64)kf5messagelist5-19.04.0-1.2.mga7
lib(64)kf5messageviewer5-19.04.0-1.2.mga7
lib(64)kf5mimetreeparser5-19.04.0-1.2.mga7
lib(64)kf5templateparser5-19.04.0-1.2.mga7
lib(64)kf5webengineviewer5-19.04.0-1.2.mga7
messagelib-19.04.0-1.2.mga7

from SRPM:
========================
messagelib-19.04.0-1.2.mga7.src.rpm


Updated packages in 8/core/updates_testing:
========================
lib(64)kf5messagecomposer5-20.12.0-1.1.mga8
lib(64)kf5messagecore5-20.12.0-1.1.mga8
lib(64)kf5messagelib-devel-20.12.0-1.1.mga8
lib(64)kf5messagelist5-20.12.0-1.1.mga8
lib(64)kf5messageviewer5-20.12.0-1.1.mga8
lib(64)kf5mimetreeparser5-20.12.0-1.1.mga8
lib(64)kf5templateparser5-20.12.0-1.1.mga8
lib(64)kf5webengineviewer5-20.12.0-1.1.mga8
messagelib-20.12.0-1.1.mga8

from SRPM:
========================
messagelib-20.12.0-1.1.mga8.src.rpm
Comment 5 David Walser 2021-05-02 19:15:01 CEST 
Please make sure the CVE is in the advisory. Thanks.
Comment 6 Aurelien Oudelet 2021-05-02 20:15:28 CEST 
(In reply to David Walser from comment #5)
> Please make sure the CVE is in the advisory. Thanks.

Sure. Thanks.


MGA8 Plasma x86_64
KMail 20.12.0. This involves receiving an encrypted mail with an attachment.
Next, you must decrypt it, and next delete the attachment. Unsure if this is really feasible on my side, as my remote server is gmail... for this.

Testing. Removing an attachment from a sent PGP decrypted encrypted mail from an other account.
Navigating to gmail web client. I see my PGP mail decrypted...

Applying updates.
Resent a mail from my other account to my gmail one. This encrypted PGP mail with an attachment is well received. KMail decrypts it correctly. Attempting to remove the attachment. Navigating to gmail web client. OK. Mail is still PGP encrypted.

OK on MGA8. Will see next time on MGA7. It should be OK.

Keywords: (none) => advisory
Whiteboard: (none) => MGA8-64-OK

Aurelien Oudelet 2021-05-02 20:16:54 CEST

Whiteboard: MGA8-64-OK => MGA7TOO MGA8-64-OK

Comment 7 Aurelien Oudelet 2021-05-06 20:00:53 CEST 
MGA7 Plasma x86_64.

Applying updates, KMail is OK to send mail. Encrypted one are still encrypted after KMail is closed. On web server, the mail is still encrypted.


Giving this an OK.
Validating.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update
Status comment: Fix here: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799 => (none)
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2021-05-07 07:37:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0208.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED