Fedora has issued an advisory on October 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRIPL72WMXTVWS2M7WYV5SNPETYJ2YI7/ Apparently the issue was fixed upstream in 20.07.80.
openSUSE has issued an advisory for this on October 25: https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00053.html
Done for mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated kleopatra packages fix security vulnerability: The Kleopatra component before 20.07.80 for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary library (CVE-2020-24972). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24972 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRIPL72WMXTVWS2M7WYV5SNPETYJ2YI7/ ======================== Updated packages in core/updates_testing: ======================== kleopatra-19.04.0-1.1.mga7 kleopatra-handbook-19.04.0-1.1.mga7 libkf5kleopatraclientcore1-19.04.0-1.1.mga7 libkf5kleopatraclientgui1-19.04.0-1.1.mga7 libkf5libkleopatra-devel-19.04.0-1.1.mga7 from kleopatra-19.04.0-1.1.mga7.src.rpm
Assignee: kde => qa-bugs
MGA7-64 MATE on Peaq C1011 No installation issues Launched kleopatra from CLI, GUI looks good, I could generate a key, and wanted to stop there, since I'm not fluent at this subject. So tried to close by clicking the "X" icon, but the CLI didn't come back. Opened another tab on the MATE terminal and $ ps -ef | grep kleo tester7 5894 5809 2 11:47 pts/0 00:00:09 kleopatra tester7 6477 6432 0 11:53 pts/1 00:00:00 grep --color kleo kill 5894 $ ps -ef | grep kleo tester7 6516 6432 0 11:53 pts/1 00:00:00 grep --color kleo And checked in the other terminal tab and it showed: Terminated [tester7@mach6 ~]$ So started kleopatra again $ kleopatra And no GUI shows up, but in the other tab I see $ ps -ef | grep kleo tester7 6529 5809 5 11:54 pts/0 00:00:00 kleopatra tester7 6554 6432 0 11:54 pts/1 00:00:00 grep --color kleo So what the hell is this process doing???
CC: (none) => herman.viaene
@Herman, Since Kleopatra is a KDE Plasma front-end for GnuPG, it is best tested in this env. Moreover, launching Kleopatra in Plasma spawns not only a GUI but a systray icon that persists after closing GUI. That's why you can't a prompt back in a Terminal. For me, on Plasma M7 x86_64, I would like say MGA7-64-OK but I can't validate new openpgp public keys from default serverkeys. I will upload a screenshot later this afternoon.
CC: (none) => ouaurelien
When using File/Quit, the choice is presented to close the window or quit kleopatra. If quit is chosen, it does fully exit. I have gpg configured to use a key server ... $ grep ^keyserver .gnupg/gpg.conf keyserver pool.sks-keyservers.net I was able to delete some old keys, and also able to import a new key from the key server. $ kleopatra --query 74A868398AA76EE9 correctly opens a kleopatra window showing one of my keys. I don't see a proof of concept for the bug, so validating based on no regressions noticed.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
(In reply to Dave Hodgins from comment #6) > When using File/Quit, the choice is presented to close the window or quit > kleopatra. If quit is chosen, it does fully exit. > > I have gpg configured to use a key server ... > $ grep ^keyserver .gnupg/gpg.conf > keyserver pool.sks-keyservers.net > > I was able to delete some old keys, and also able to import a new key from > the key server. > > $ kleopatra --query 74A868398AA76EE9 > correctly opens a kleopatra window showing one of my keys. > > I don't see a proof of concept for the bug, so validating based on no > regressions > noticed. This fixes my installation. I really don't know why this installation forgot this. Thanks Dave ! Advisory pushed to SVN.
Keywords: (none) => advisory
@ Aurelien. I will not try to stop this update, but there is something strange to me with this package. I quote you : "Since Kleopatra is a KDE Plasma front-end for GnuPG, it is best tested in this env. Moreover, launching Kleopatra in Plasma spawns not only a GUI but a systray icon that persists after closing GUI." The laptop I tested this on is KDE-free as far as I can check in MCC (switched it off at installation, and since then added nothing from that area). Installing Kleopatra didn't draw in any KDE/Plasma dependency at all. That is somewhat strange to me, although I guess not impossible at all.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0425.html
Status: NEW => RESOLVEDResolution: (none) => FIXED