KDE has issued an advisory on April 29 2021: https://kde.org/info/security/advisory-20210429-1.txt Cauldron fixed by David G. Mageia 8 and 7 also affected.
Assigning to KDE maintainers.
Version: Cauldron => 8Status comment: (none) => Fix here: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799Assignee: bugsquad => kde
Done for both mga7 and mga8!
CC: (none) => geiger.david68210
assigning to QA then
CC: (none) => mageiaAssignee: kde => qa-bugs
Advisory: ======================== Updated messagelib packages fix security vulnerability: Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g. an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. This is not easily noticeable by the user because KMail does not display the decrypted content. With a specially crafted message a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker could read the decrypted content of the encrypted message. References: https://bugs.mageia.org/show_bug.cgi?id=28861 https://kde.org/info/security/advisory-20210429-1.txt ======================== Updated packages in 7/core/updates_testing: ======================== lib(64)kf5messagecomposer5-19.04.0-1.2.mga7 lib(64)kf5messagecore5-19.04.0-1.2.mga7 lib(64)kf5messagelib-devel-19.04.0-1.2.mga7 lib(64)kf5messagelist5-19.04.0-1.2.mga7 lib(64)kf5messageviewer5-19.04.0-1.2.mga7 lib(64)kf5mimetreeparser5-19.04.0-1.2.mga7 lib(64)kf5templateparser5-19.04.0-1.2.mga7 lib(64)kf5webengineviewer5-19.04.0-1.2.mga7 messagelib-19.04.0-1.2.mga7 from SRPM: ======================== messagelib-19.04.0-1.2.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)kf5messagecomposer5-20.12.0-1.1.mga8 lib(64)kf5messagecore5-20.12.0-1.1.mga8 lib(64)kf5messagelib-devel-20.12.0-1.1.mga8 lib(64)kf5messagelist5-20.12.0-1.1.mga8 lib(64)kf5messageviewer5-20.12.0-1.1.mga8 lib(64)kf5mimetreeparser5-20.12.0-1.1.mga8 lib(64)kf5templateparser5-20.12.0-1.1.mga8 lib(64)kf5webengineviewer5-20.12.0-1.1.mga8 messagelib-20.12.0-1.1.mga8 from SRPM: ======================== messagelib-20.12.0-1.1.mga8.src.rpm
Please make sure the CVE is in the advisory. Thanks.
(In reply to David Walser from comment #5) > Please make sure the CVE is in the advisory. Thanks. Sure. Thanks. MGA8 Plasma x86_64 KMail 20.12.0. This involves receiving an encrypted mail with an attachment. Next, you must decrypt it, and next delete the attachment. Unsure if this is really feasible on my side, as my remote server is gmail... for this. Testing. Removing an attachment from a sent PGP decrypted encrypted mail from an other account. Navigating to gmail web client. I see my PGP mail decrypted... Applying updates. Resent a mail from my other account to my gmail one. This encrypted PGP mail with an attachment is well received. KMail decrypts it correctly. Attempting to remove the attachment. Navigating to gmail web client. OK. Mail is still PGP encrypted. OK on MGA8. Will see next time on MGA7. It should be OK.
Keywords: (none) => advisoryWhiteboard: (none) => MGA8-64-OK
Whiteboard: MGA8-64-OK => MGA7TOO MGA8-64-OK
MGA7 Plasma x86_64. Applying updates, KMail is OK to send mail. Encrypted one are still encrypted after KMail is closed. On web server, the mail is still encrypted. Giving this an OK. Validating.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_updateStatus comment: Fix here: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799 => (none)CC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0208.html
Status: NEW => RESOLVEDResolution: (none) => FIXED