Bug 30000 - trojita possible new security issue CVE-2019-10734
Summary: trojita possible new security issue CVE-2019-10734
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-02-04 16:25 CET by David Walser
Modified: 2022-06-03 19:16 CEST (History)
5 users (show)

See Also:
Source RPM: trojita-0.7-8.git20200625.2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-02-04 16:25:17 CET 
Fedora has issued an advisory today (February 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UO27BOQW7OIOG56IBQEHPEIS5JYYKDHN/

We fixed CVE-2020-15047 in Bug 26859, but may not have a fix for this CVE.

There's also the bugs referenced in Bug 29353.
David Walser 2022-02-04 16:25:38 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-02-04 21:33:53 CET 
This looks complicated with its references to other packages & bugs, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2022-05-22 08:12:52 CEST 
this one is fixed in mga8/9


src:
    - trojita-0.7-8.git20200625.2.1.mga8

Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-06-01 15:58:53 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Configured to use IMAP for my hotmail account, using my regular provider's SMTP.
I can send and reply plain messages OK from a to my gmail account handled on my desktop PC. But I have a problem wit attachments:
sending mail with attachement from my gmail account from my desktp PC, all goes well.
But sending email with attachment from trojita (hotmail account) is rejected by gmail-smtp-in.l.google.com for lack of authentication. My IP does not use encryption or authentication for smtp and that has never been a problem, I use my regular mail, gmail and hotmail all in Thunderbird on my desktop.
No other problems apart from it being a clumsy affair.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-06-01 17:20:43 CEST 
I tried, and it installs OK, and the gui does run, but that's as far as I get. I believe that's because all of my email accounts now require 0Auth2 authentication, which apparently isn't supported by trojita.

CC: (none) => andrewsfarm

Comment 5 Thomas Andrews 2022-06-01 21:21:23 CEST 
I created an Outlook (Hotmail) email account, and was able to receive IMAP mail using trojita. I could not send anything - something to do with authentication. 

That seems to be the way of it. I have heard from others that trojita can probably be set up to work with gmail, but it is a more involved process than I wish to get into.

Since Herman was able to send and receive mail from Hotmail, and I was able to receive, I believe this is working as designed. Giving it an OK.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-06-02 22:41:16 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-06-03 19:16:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0214.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.