Labels Milestones

Limit CVE-2017-17689 (EFAIL) in KMail #70

Merged

SlavekB merged 2 commits from feat/efail-fixes into master 2 years ago

Conversation 5 Commits 2 Files Changed 5

SlavekB commented 2 years ago

Owner

The patches are taken from KDE and adapted for TDE. Because we do not have a separate library messagelib, patches for messagelib and KMail as such are merged into one. Therefore, there are two patches instead of three patches. See https://dot.kde.org/2018/05/15/efail-and-kmail

This resolve issue #22.

The patches are taken from KDE and adapted for TDE. Because we do not have a separate library `messagelib`, patches for `messagelib` and KMail as such are merged into one. Therefore, there are two patches instead of three patches. See https://dot.kde.org/2018/05/15/efail-and-kmail This resolve issue #22.

SlavekB added this to the R14.0.13 release milestone 2 years ago

SlavekB added 2 commits 2 years ago

f065cd30d5

Load external references in encrypted emails only on explicit request. ...

Taken from KDE patches and adapted to TDE.
See https://phabricator.kde.org/D12391

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>

be41d346d1

Distinguish between settings and explicit override for external content ...

Summary:
This will allow KMail to properly communicate the difference also when
using per-folder settings for loading external references. This in turn
makes f065cd30d5 also work in that case.

Taken from KDE patches and adapted to TDE.
See https://phabricator.kde.org/D12393 and https://phabricator.kde.org/D12394

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>

MicheleC approved these changes 2 years ago

MicheleC left a comment

Owner

Look good. Have not tested, but it's surprising to see how simple the fix is.

Look good. Have not tested, but it's surprising to see how simple the fix is.

SlavekB commented 2 years ago

Poster

Owner

Look good. Have not tested, but it's surprising to see how simple the fix is.

I did not do additional research – I just came out of the conclusions in the overview of the impact of the problem on individual clients at https://efail.de/ and the patches that were applied to KMail in KDE.

The patches deal with, for encrypted messages, it is always necessary to confirm the loading of parts from external sources. That is, for the user to always check what will be loaded. Therefore, they are quite simple.

> Look good. Have not tested, but it's surprising to see how simple the fix is. I did not do additional research – I just came out of the conclusions in the overview of the impact of the problem on individual clients at https://efail.de/ and the patches that were applied to KMail in KDE. The patches deal with, for encrypted messages, it is _always_ necessary _to confirm_ the loading of parts from external sources. That is, for the user to always check what will be loaded. Therefore, they are quite simple.

SlavekB added the PR/not-ok label 2 years ago

SlavekB commented 2 years ago

Poster

Owner

This requires further testing and adjustments, because the behavior with patches is not as intended.

This requires further testing and adjustments, because the behavior with patches is not as intended.

SlavekB changed title from Limit CVE-2017-17689 (EFAIL) in KMail to WIP: Limit CVE-2017-17689 (EFAIL) in KMail 2 years ago

SlavekB added the PR/wip label 2 years ago

SlavekB force-pushed feat/efail-fixes from be41d346d1 to fb582ff127 2 years ago

SlavekB removed the PR/not-ok PR/wip labels 2 years ago

SlavekB changed title from WIP: Limit CVE-2017-17689 (EFAIL) in KMail to Limit CVE-2017-17689 (EFAIL) in KMail 2 years ago

SlavekB requested review from MicheleC 2 years ago

SlavekB commented 2 years ago

Poster

Owner

Resetting override flag has been added to the slot responding to the message selection.

Resetting override flag has been added to the slot responding to the message selection.

SlavekB changed title from Limit CVE-2017-17689 (EFAIL) in KMail to WIP: Limit CVE-2017-17689 (EFAIL) in KMail 2 years ago

SlavekB added the PR/wip label 2 years ago

SlavekB commented 2 years ago

Poster

Owner

Turning on to load external links at the folder level does not have the expected behavior. So it requires another effort.

Turning on to load external links at the folder level does not have the expected behavior. So it requires another effort.

SlavekB force-pushed feat/efail-fixes from fb582ff127 to c8e1b254e2 2 years ago

SlavekB changed title from WIP: Limit CVE-2017-17689 (EFAIL) in KMail to Limit CVE-2017-17689 (EFAIL) in KMail 2 years ago

SlavekB commented 2 years ago

Poster

Owner

Testing !mMessage was misleading and caused an unwanted result. Set the mViewer->setOnlyLocalReferences(!htmlLoadExternal()); moved to the moment when the message that is currently displayed is already loaded.

I did tests and it seems that now everything really works as it was intended.

Testing `!mMessage` was misleading and caused an unwanted result. Set the `mViewer->setOnlyLocalReferences(!htmlLoadExternal());` moved to the moment when the message that is currently displayed is already loaded. I did tests and it seems that now everything really works as it was intended.

SlavekB removed the PR/wip label 2 years ago

MicheleC approved these changes 2 years ago

MicheleC left a comment

Owner

Looks good.

Looks good.

SlavekB merged commit c8e1b254e2 into master 2 years ago

SlavekB deleted branch feat/efail-fixes 2 years ago

MicheleC referenced this pull request from TDE/tde 2 years ago

R14.0.13 release notes #83

Reviewers

MicheleC approved these changes 2 years ago

The pull request has been merged as c8e1b254e2.

Sign in to join this conversation.

Reviewers

Request review

No reviewers

MicheleC

Labels

Apply labels

Clear labels

GE/need-info
General - need additional info from contributor PR/keep-branch
Pull request - do not delete branch after merging PR/not-ok
Pull request - need fixing PR/rfc
Pull request - request for comments PR/update-trans
Pull request - update to translation files needed PR/wip
Pull request - work in progress RS/R14.0.x
Related to R14.0.x series RS/R14.1.x
Related to R14.1.x series SL/critical
Severity level - critical SL/major
Severity level - major SL/minor
Severity level - minor SL/normal
Severity level - normal SL/regression
Severity level - regression from previous version SL/trivial
Severity level - trivial SL/wishlist
Severity level - wishlist request ST/duplicate
Status - duplicate of another issue ST/invalid
Status - invalid report ST/notourproblem
Status - not our problem ST/rejected
Status - rejected ST/wontfix
Status - won't fix ST/worksforme
Status - works for me, unable to reproduce

No Label GE/need-info PR/keep-branch PR/not-ok PR/rfc PR/update-trans PR/wip RS/R14.0.x RS/R14.1.x SL/critical SL/major SL/minor SL/normal SL/regression SL/trivial SL/wishlist ST/duplicate ST/invalid ST/notourproblem ST/rejected ST/wontfix ST/worksforme

Milestone

Set milestone

Clear milestone

No items

No Milestone

R14.0.13 release

Assignees

Assign users

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: TDE/tdepim#70

Write Preview

Loading…

Cancel

Save

There is no content yet.