KDE has issued an advisory on April 29 2021:
Cauldron fixed by David G.
Mageia 8 and 7 also affected.
Assigning to KDE maintainers.
Fix here: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799Assignee:
Done for both mga7 and mga8!
assigning to QA then
Updated messagelib packages fix security vulnerability:
Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g. an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. This is not easily noticeable by the user because KMail does not display the decrypted content.
With a specially crafted message a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker could read the decrypted content of the encrypted message.
Updated packages in 7/core/updates_testing:
Updated packages in 8/core/updates_testing:
Please make sure the CVE is in the advisory. Thanks.
(In reply to David Walser from comment #5)
> Please make sure the CVE is in the advisory. Thanks.
MGA8 Plasma x86_64
KMail 20.12.0. This involves receiving an encrypted mail with an attachment.
Next, you must decrypt it, and next delete the attachment. Unsure if this is really feasible on my side, as my remote server is gmail... for this.
Testing. Removing an attachment from a sent PGP decrypted encrypted mail from an other account.
Navigating to gmail web client. I see my PGP mail decrypted...
Resent a mail from my other account to my gmail one. This encrypted PGP mail with an attachment is well received. KMail decrypts it correctly. Attempting to remove the attachment. Navigating to gmail web client. OK. Mail is still PGP encrypted.
OK on MGA8. Will see next time on MGA7. It should be OK.
MGA7 Plasma x86_64.
Applying updates, KMail is OK to send mail. Encrypted one are still encrypted after KMail is closed. On web server, the mail is still encrypted.
Giving this an OK.
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OKKeywords:
Fix here: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799 =>
An update for this issue has been pushed to the Mageia Updates repository.