CVE-2017-9604

NameCVE-2017-9604
DescriptionKDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs864803, 864804

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kdepim (PTS)wheezy4:4.4.11.1+l10n-3fixed
jessie4:4.14.1-1vulnerable
stretch4:16.04.3-4~deb9u1fixed
buster, sid4:16.04.3-4fixed
kf5-messagelib (PTS)stretch4:16.04.3-3~deb9u1fixed
buster, sid4:16.04.3-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kdepimsource(unstable)4:16.04.3-4medium864804
kdepimsourcestretch4:16.04.3-4~deb9u1medium
kdepimsourcewheezy(not affected)
kf5-messagelibsource(unstable)4:16.04.3-3medium864803
kf5-messagelibsourcestretch4:16.04.3-3~deb9u1medium

Notes

[jessie] - kdepim <no-dsa> (Minor issue)
[wheezy] - kdepim <not-affected> (sendlater issue is not present in kdepim-4.4.11.1+l10n)
Fixed by (kmail): https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8
Fixed by (messagelib): https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197
https://www.kde.org/info/security/advisory-20170615-1.txt

Search for package or bug name: Reporting problems