Hey, I now created a debdiff for kf5-messagelib. This patch touches the public ABI and adds one function, but this should not be a problem. Should I update the messageveiwer.symbols, too? And what I should add there, as there should not been Debian revision added.
hefee
diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog --- kf5-messagelib-16.04.3/debian/changelog 2017-06-17 09:08:12.000000000 +0200 +++ kf5-messagelib-16.04.3/debian/changelog 2018-05-19 17:16:55.000000000 +0200 @@ -1,3 +1,16 @@ +kf5-messagelib (4:16.04.3-3~deb9u2) stretch; urgency=high + + * Team upload. + + [ Sandro Knauß ] + * Limit outcome of CVE-2017-17689: kmail: efail attack against S/MIME + (Closes: #899127) + - Added upstream patches (modified to apply to old source): + * upstream-Distinguish-between-settings-and-explicit-override-f.patch + * upstream-Load-external-references-in-encrypted-emails-only-on.patch + + -- Sandro Knauß <he...@debian.org> Sat, 19 May 2018 17:16:55 +0200 + kf5-messagelib (4:16.04.3-3~deb9u1) stretch; urgency=high * Team upload. diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series --- kf5-messagelib-16.04.3/debian/patches/series 2017-06-17 09:08:12.000000000 +0200 +++ kf5-messagelib-16.04.3/debian/patches/series 2018-05-19 16:13:08.000000000 +0200 @@ -1,3 +1,5 @@ upstream_add_copying_files.patch make-it-impossible-to-override-css-settings-from-a-h.patch fix-CVE-2017-9604.patch +upstream-Load-external-references-in-encrypted-emails-only-on.patch +upstream-Distinguish-between-settings-and-explicit-override-f.patch diff -Nru kf5-messagelib-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-override-f.patch kf5-messagelib-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-override-f.patch --- kf5-messagelib-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-override-f.patch 1970-01-01 01:00:00.000000000 +0100 +++ kf5-messagelib-16.04.3/debian/patches/upstream-Distinguish-between-settings-and-explicit-override-f.patch 2018-05-19 17:10:27.000000000 +0200 @@ -0,0 +1,152 @@ +From 0bb1c5b12745b801f1aa4d6c630911845409e8ee Mon Sep 17 00:00:00 2001 +From: Volker Krause <vkra...@kde.org> +Date: Thu, 26 Apr 2018 18:31:36 +0200 +Subject: [PATCH 33/44] Distinguish between settings and explicit override for + external content + +Summary: +This will allow KMail to properly communicate the difference also when +using per-folder settings for loading external references. This in turn +makes D12391 also work in that case. + +Reviewers: mlaurent, dvratil, knauss + +Reviewed By: knauss + +Subscribers: #kde_pim + +Tags: #kde_pim + +Differential Revision: https://phabricator.kde.org/D12393 +--- + messageviewer/src/viewer/viewer.cpp | 10 ++++++++-- + messageviewer/src/viewer/viewer.h | 15 +++++++++++++-- + messageviewer/src/viewer/viewer_p.cpp | 17 ++++++++++------- + messageviewer/src/viewer/viewer_p.h | 19 +++++++++++++++---- + 4 files changed, 46 insertions(+), 15 deletions(-) + +--- a/messageviewer/src/viewer/viewer.cpp ++++ b/messageviewer/src/viewer/viewer.cpp +@@ -258,10 +258,16 @@ void Viewer::setDisplayFormatMessageOver + d->setDisplayFormatMessageOverwrite(format); + } + +-void Viewer::setHtmlLoadExtOverride(bool override) ++void Viewer::setHtmlLoadExtDefault(bool loadExtDefault) + { + Q_D(Viewer); +- d->setHtmlLoadExtOverride(override); ++ d->setHtmlLoadExtDefault(loadExtDefault); ++} ++ ++void Viewer::setHtmlLoadExtOverride(bool loadExtOverride) ++{ ++ Q_D(Viewer); ++ d->setHtmlLoadExtOverride(loadExtOverride); + } + + void Viewer::setAppName(const QString &appName) +--- a/messageviewer/src/viewer/viewer.h ++++ b/messageviewer/src/viewer/viewer.h +@@ -203,8 +203,19 @@ public: + /** Get the load external references override setting */ + bool htmlLoadExtOverride() const; + +- /** Override default load external references setting */ +- void setHtmlLoadExtOverride(bool override); ++ /** Default behavior for loading external references. ++ * Use this for specifying the external reference loading behavior as ++ * specified in the user settings. ++ * @see setHtmlLoadExtOverride ++ */ ++ void setHtmlLoadExtDefault(bool loadExtDefault); ++ ++ /** Override default load external references setting ++ * @warning This must only be called when the user has explicitly ++ * been asked to retrieve external references! ++ * @see setHtmlLoadExtDefault ++ */ ++ void setHtmlLoadExtOverride(bool loadExtOverride); + + /** Is html mail to be supported? Takes into account override */ + bool htmlMail() const; +--- a/messageviewer/src/viewer/viewer_p.cpp ++++ b/messageviewer/src/viewer/viewer_p.cpp +@@ -217,7 +217,7 @@ ViewerPrivate::ViewerPrivate(Viewer *aPa + mDisplayFormatMessageOverwrite = MessageViewer::Viewer::UseGlobalSetting; + mHtmlLoadExtOverride = false; + +- mHtmlLoadExternalGlobalSetting = false; ++ mHtmlLoadExternalDefaultSetting = false; + mHtmlMailGlobalSetting = false; + + mUpdateReaderWinTimer.setObjectName(QStringLiteral("mUpdateReaderWinTimer")); +@@ -1113,7 +1113,6 @@ void ViewerPrivate::readConfig() + } + + mHtmlMailGlobalSetting = MessageViewer::MessageViewerSettings::self()->htmlMail(); +- mHtmlLoadExternalGlobalSetting = MessageViewer::MessageViewerSettings::self()->htmlLoadExternal(); + + if (mZoomActionMenu) { + mZoomActionMenu->setZoomTextOnly(MessageViewer::MessageViewerSettings::self()->zoomTextOnly()); +@@ -2655,8 +2654,8 @@ bool ViewerPrivate::htmlLoadExternal() c + return mHtmlLoadExtOverride; + } + +- return ((mHtmlLoadExternalGlobalSetting && !mHtmlLoadExtOverride) || +- (!mHtmlLoadExternalGlobalSetting && mHtmlLoadExtOverride)); ++ return ((mHtmlLoadExternalDefaultSetting && !mHtmlLoadExtOverride) || ++ (!mHtmlLoadExternalDefaultSetting && mHtmlLoadExtOverride)); + } + + void ViewerPrivate::setDisplayFormatMessageOverwrite(Viewer::DisplayFormatMessage format) +@@ -2673,9 +2672,14 @@ Viewer::DisplayFormatMessage ViewerPriva + return mDisplayFormatMessageOverwrite; + } + +-void ViewerPrivate::setHtmlLoadExtOverride(bool override) ++void ViewerPrivate::setHtmlLoadExtDefault(bool loadExtDefault) + { +- mHtmlLoadExtOverride = override; ++ mHtmlLoadExternalDefaultSetting = loadExtDefault; ++} ++ ++void ViewerPrivate::setHtmlLoadExtOverride(bool loadExtOverride) ++{ ++ mHtmlLoadExtOverride = loadExtOverride; + } + + bool ViewerPrivate::htmlLoadExtOverride() const +--- a/messageviewer/src/viewer/viewer_p.h ++++ b/messageviewer/src/viewer/viewer_p.h +@@ -379,8 +379,19 @@ public: + /** Get the load external references override setting */ + bool htmlLoadExtOverride() const; + +- /** Override default load external references setting */ +- void setHtmlLoadExtOverride(bool override); ++ /** Default behavior for loading external references. ++ * Use this for specifying the external reference loading behavior as ++ * specified in the user settings. ++ * @see setHtmlLoadExtOverride ++ */ ++ void setHtmlLoadExtDefault(bool loadExtDefault); ++ ++ /** Override default load external references setting ++ * @warning This must only be called when the user has explicitly ++ * been asked to retrieve external references! ++ * @see setHtmlLoadExtDefault ++ */ ++ void setHtmlLoadExtOverride(bool loadExtOverride); + + /** Enforce message decryption. */ + void setDecryptMessageOverwrite(bool overwrite = true); +@@ -588,7 +599,7 @@ private: + public: + NodeHelper *mNodeHelper; + bool mHtmlMailGlobalSetting; +- bool mHtmlLoadExternalGlobalSetting; ++ bool mHtmlLoadExternalDefaultSetting; + bool mHtmlLoadExtOverride; + KMime::Message::Ptr mMessage; //the current message, if it was set manually + Akonadi::Item mMessageItem; //the message item from Akonadi diff -Nru kf5-messagelib-16.04.3/debian/patches/upstream-Load-external-references-in-encrypted-emails-only-on.patch kf5-messagelib-16.04.3/debian/patches/upstream-Load-external-references-in-encrypted-emails-only-on.patch --- kf5-messagelib-16.04.3/debian/patches/upstream-Load-external-references-in-encrypted-emails-only-on.patch 1970-01-01 01:00:00.000000000 +0100 +++ kf5-messagelib-16.04.3/debian/patches/upstream-Load-external-references-in-encrypted-emails-only-on.patch 2018-05-19 17:10:27.000000000 +0200 @@ -0,0 +1,37 @@ +From 221a5d4ee8ce6c73d927299596f7e0dec22ad230 Mon Sep 17 00:00:00 2001 +From: Volker Krause <vkra...@kde.org> +Date: Thu, 26 Apr 2018 18:23:15 +0200 +Subject: [PATCH 32/44] Load external references in encrypted emails only on + explicit request + +Reviewers: mlaurent, dvratil, knauss + +Reviewed By: knauss + +Subscribers: #kde_pim + +Tags: #kde_pim + +Differential Revision: https://phabricator.kde.org/D12391 +--- + messageviewer/src/viewer/viewer_p.cpp | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/messageviewer/src/viewer/viewer_p.cpp ++++ b/messageviewer/src/viewer/viewer_p.cpp +@@ -2646,6 +2646,15 @@ bool ViewerPrivate::htmlMail() const + + bool ViewerPrivate::htmlLoadExternal() const + { ++ if (!mNodeHelper || !mMessage) { ++ return mHtmlLoadExtOverride; ++ } ++ ++ // when displaying an encrypted message, only load external resources on explicit request ++ if (mNodeHelper->overallEncryptionState(mMessage.data()) != MessageViewer::KMMsgNotEncrypted) { ++ return mHtmlLoadExtOverride; ++ } ++ + return ((mHtmlLoadExternalGlobalSetting && !mHtmlLoadExtOverride) || + (!mHtmlLoadExternalGlobalSetting && mHtmlLoadExtOverride)); + }
signature.asc
Description: This is a digitally signed message part.
