Home / mailingsPDF  

[USN-7729-1] KDE PIM vulnerabilities

Posted on 03 September 2025
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-7729-1
September 02, 2025

kdepim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in KDE PIM.

Software Description:
- kdepim: Personal Information Management apps

Details:

Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,
Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg
Schwenk discovered that the KMail application of KDE PIM could be made
to leak the plaintext of S/MIME encrypted emails when retrieving
external content in emails. Under certain configurations, if a user were
tricked into opening a specially crafted email, an attacker could
possibly use this issue to obtain the plaintext of an encrypted email.
This update mitigates the issue by preventing KMail from automatically
loading external content. (CVE-2017-17689)

Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel,
and Jörg Schwenk discovered that the KMail application of KDE PIM could
be made to leak the plaintext of S/MIME or PGP encrypted emails. If a
user were tricked into replying to a specially crafted email, an
attacker could possibly use this issue to obtain the plaintext of an
encrypted email. (CVE-2019-10732)

It was discovered that the KMail application of KDE PIM could be made to
attach files to an email without the user's knowledge. If a user
were tricked into sending an email created by a specially crafted
"mailto" link, an attacker could possibly use this issue to obtain
sensitive files. This update mitigates the issue by displaying a
warning to the user when files are attached in this way.
(CVE-2020-11880)

It was discovered that the Account Wizard application of KDE PIM used
HTTP rather than HTTPS when retrieving certain email server
configurations. An attacker could possibly use this issue to cause email
clients to use an attacker-controlled email server. This issue only
affected Ubuntu 16.04 LTS. (CVE-2024-50624)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
accountwizard 4:15.12.3-0ubuntu1.1+esm1
Available with Ubuntu Pro
kmail 4:15.12.3-0ubuntu1.1+esm1
Available with Ubuntu Pro
libkf5messageviewer5 4:15.12.3-0ubuntu1.1+esm1
Available with Ubuntu Pro
libkf5templateparser5 4:15.12.3-0ubuntu1.1+esm1
Available with Ubuntu Pro

Ubuntu 14.04 LTS
kmail 4:4.13.3-0ubuntu0.2+esm1
Available with Ubuntu Pro
libmessageviewer4 4:4.13.3-0ubuntu0.2+esm1
Available with Ubuntu Pro
libtemplateparser4 4:4.13.3-0ubuntu0.2+esm1
Available with Ubuntu Pro

After a standard system update you need to restart KMail to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7729-1
CVE-2017-17689, CVE-2019-10732, CVE-2020-11880, CVE-2024-50624

--===============1914706442486829154==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :