CVE-2017-9604

NameCVE-2017-9604
DescriptionKDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs864803, 864804

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kdepim (PTS)jessie, jessie (lts)4:4.14.1-1+deb8u2fixed
stretch4:16.04.3-4~deb9u1fixed
kf5-messagelib (PTS)stretch4:16.04.3-3~deb9u1fixed
buster4:18.08.3-2fixed
bullseye4:20.08.3-5fixed
bookworm4:22.12.3-2~deb12u1fixed
sid, trixie4:22.12.3-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kdepimsourcewheezy(not affected)
kdepimsourcejessie4:4.14.1-1+deb8u1
kdepimsourcestretch4:16.04.3-4~deb9u1
kdepimsource(unstable)4:16.04.3-4864804
kf5-messagelibsourcestretch4:16.04.3-3~deb9u1
kf5-messagelibsource(unstable)4:16.04.3-3864803

Notes

[wheezy] - kdepim <not-affected> (sendlater issue is not present in kdepim-4.4.11.1+l10n)
Fixed by (kmail): https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8
Fixed by (messagelib): https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197
https://www.kde.org/info/security/advisory-20170615-1.txt
Search for package or bug name: Reporting problems