Bug#869577: stretch-pu: package kf5-messagelib/4:16.04.3-3

[Sandro Knauß]

Control: tags -1 - moreinfo
 
> We'll need to see a debdiff of the proposed package, built and tested on
> stretch, before going any further, please.

The debdiff is the version, that is currently in testing. The diff was created 
when testing was in deep freeze, so actually the version state, that is now in 
stretch. The versionnumber may need to be adjusted.

Best Regards,

sandro

diff -Nru kf5-messagelib-16.04.3/debian/changelog kf5-messagelib-16.04.3/debian/changelog
--- kf5-messagelib-16.04.3/debian/changelog	2016-08-02 14:07:27.000000000 +0200
+++ kf5-messagelib-16.04.3/debian/changelog	2017-06-17 09:08:12.000000000 +0200
@@ -1,3 +1,13 @@
+kf5-messagelib (4:16.04.3-3) unstable; urgency=high
+
+  * Team upload.
+
+  [ Sandro Knauß ]
+  * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864803)
+    - Added upstream patch fix-CVE-2017-9604.patch
+
+ -- Sandro Knauß <he...@debian.org>  Sat, 17 Jun 2017 09:08:12 +0200
+
 kf5-messagelib (4:16.04.3-2) unstable; urgency=high
 
   [ Automatic packaging ]
diff -Nru kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch
--- kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch	1970-01-01 01:00:00.000000000 +0100
+++ kf5-messagelib-16.04.3/debian/patches/fix-CVE-2017-9604.patch	2017-06-17 08:35:48.000000000 +0200
@@ -0,0 +1,26 @@
+From c54706e990bbd6498e7b1597ec7900bc809e8197 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <mon...@kde.org>
+Date: Fri, 2 Jun 2017 13:56:41 +0200
+Subject: Make sure to sign/encrypt message when we send later
+
+(cherry picked from commit 4048f5e46d0a7d62d93d74fd2861dd70fb2ad660)
+---
+ messagecomposer/src/composer/composerviewbase.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/messagecomposer/src/composer/composerviewbase.cpp b/messagecomposer/src/composer/composerviewbase.cpp
+index d44b8b2..672ea1e 100644
+--- a/messagecomposer/src/composer/composerviewbase.cpp
++++ b/messagecomposer/src/composer/composerviewbase.cpp
+@@ -468,7 +468,7 @@ void MessageComposer::ComposerViewBase::slotEmailAddressResolved(KJob *job)
+     // if so, we create a composer per format
+     // if we aren't signing or encrypting, this just returns a single empty message
+     bool wasCanceled = false;
+-    if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone) {
++    if (m_neverEncrypt && mSaveIn != MessageComposer::MessageSender::SaveInNone && !mSendLaterInfo) {
+         MessageComposer::Composer *composer = new MessageComposer::Composer;
+         composer->setNoCrypto(true);
+         m_composers.append(composer);
+-- 
+cgit v0.11.2
+
diff -Nru kf5-messagelib-16.04.3/debian/patches/series kf5-messagelib-16.04.3/debian/patches/series
--- kf5-messagelib-16.04.3/debian/patches/series	2016-08-02 14:07:27.000000000 +0200
+++ kf5-messagelib-16.04.3/debian/patches/series	2017-06-17 09:02:09.000000000 +0200
@@ -1,2 +1,3 @@
 upstream_add_copying_files.patch
 make-it-impossible-to-override-css-settings-from-a-h.patch
+fix-CVE-2017-9604.patch

signature.asc
Description: This is a digitally signed message part.