Version in base suite: 22.12.3-1 Base version: kmail-account-wizard_22.12.3-1 Target version: kmail-account-wizard_22.12.3-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/kmail-account-wizard/kmail-account-wizard_22.12.3-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/k/kmail-account-wizard/kmail-account-wizard_22.12.3-1+deb12u1.dsc changelog | 13 ++++++++ patches/CVE-2024-50624.patch | 68 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 82 insertions(+) diff -Nru kmail-account-wizard-22.12.3/debian/changelog kmail-account-wizard-22.12.3/debian/changelog --- kmail-account-wizard-22.12.3/debian/changelog 2023-03-01 20:33:00.000000000 +0000 +++ kmail-account-wizard-22.12.3/debian/changelog 2025-05-27 08:03:02.000000000 +0000 @@ -1,3 +1,16 @@ +kmail-account-wizard (4:22.12.3-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2024-50624 + fix man-in-the-middle-attack when using autoconf for retrieving + configuration + * for configuration with autoconf.example.com, the config is fetched + via https and the former http as fallback. + for configuration via example.com/.well-known/autoconfig the + config is now fetched only with https + + -- Thorsten Alteholz Tue, 27 May 2025 10:03:02 +0200 + kmail-account-wizard (4:22.12.3-1) unstable; urgency=medium [ Patrick Franz ] diff -Nru kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch --- kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch 1970-01-01 00:00:00.000000000 +0000 +++ kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch 2025-05-27 08:03:02.000000000 +0000 @@ -0,0 +1,68 @@ +commit 9784f5ab41c3aff435d4a88afb25585180a62ee4 +Author: Laurent Montel +Date: Mon Jun 3 13:42:29 2024 +0200 + + Fix bug 487882: plaintext HTTP request in kmail-account-wizard + + BUG: 487882 + FIXED-IN: 6.2.0 + +Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp +=================================================================== +--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.cpp 2025-05-27 11:09:21.946961271 +0200 ++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp 2025-05-27 12:57:09.463399061 +0200 +@@ -64,11 +64,14 @@ + QUrl url; + const QString path = type + QStringLiteral("/config-v") + version + QStringLiteral(".xml"); + switch (mServerType) { ++ case IspHttpsAutoConfig: ++ url = QUrl(QStringLiteral("https://autoconfig.") + mAddr.domain.toLower() + QLatin1Char('/') + path); ++ break; + case IspAutoConfig: + url = QUrl(QStringLiteral("http://autoconfig.") + mAddr.domain.toLower() + QLatin1Char('/') + path); + break; + case IspWellKnow: +- url = QUrl(QStringLiteral("http://") + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path); ++ url = QUrl(QStringLiteral("https://") + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path); + break; + case DataBase: + url = QUrl(QStringLiteral("https://autoconfig.thunderbird.net/v1.1/") + mAddr.domain.toLower()); +@@ -93,16 +96,9 @@ + qCDebug(ACCOUNTWIZARD_LOG) << "Fetching failed" << job->errorString(); + bool lookupFinished = false; + +- switch (mServerType) { +- case IspAutoConfig: +- mServerType = IspWellKnow; +- break; +- case IspWellKnow: +- lookupFinished = true; +- break; +- case DataBase: +- mServerType = IspAutoConfig; +- break; ++ if (mServerType != Ispdb::searchServerType::Last) { ++ int index = static_cast(mServerType); ++ mServerType= static_cast(++index); + } + + if (lookupFinished) { +Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.h +=================================================================== +--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.h 2025-05-27 11:09:21.946961271 +0200 ++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.h 2025-05-27 11:10:40.171001261 +0200 +@@ -95,9 +95,11 @@ + @see lookupUrl to generate a url base on this type + */ + enum searchServerType { +- IspAutoConfig = 0, /**< http://autoconfig.example.com/mail/config-v1.1.xml */ +- IspWellKnow, /**< http://example.com/.well-known/autoconfig/mail/config-v1.1.xml */ +- DataBase /**< https://autoconfig.thunderbird.net/v1.1/example.com */ ++ DataBase = 0, ///< https://autoconfig.thunderbird.net/v1.1/example.com */ ++ IspHttpsAutoConfig = 1, ///< https://autoconfig.example.com/mail/config-v1.1.xml ++ IspAutoConfig = 2, ///< http://autoconfig.example.com/mail/config-v1.1.xml ++ IspWellKnow = 3, ///< https://example.com/.well-known/autoconfig/mail/config-v1.1.xml ++ Last = IspWellKnow + }; + + /** let's request the autoconfig server */ diff -Nru kmail-account-wizard-22.12.3/debian/patches/series kmail-account-wizard-22.12.3/debian/patches/series --- kmail-account-wizard-22.12.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ kmail-account-wizard-22.12.3/debian/patches/series 2025-05-27 08:03:02.000000000 +0000 @@ -0,0 +1 @@ +CVE-2024-50624.patch