SB2025090338 - Ubuntu update for kf5-messagelib

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025090338

SB2025090338 - Ubuntu update for kf5-messagelib

Published: September 3, 2025

Security Bulletin ID SB2025090338
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2017-17689)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper access controls. A remote attacker with access to a target user's S/MIME encrypted email message can exploit a property of Cipher Feedback Mode (CFB) by modifying known plaintext blocks (such as MIME headers). When the target user decrypts and views the modified email message, the target user's mail client will parse the resulting modified HTML content and disclose the original plaintext to a remote URL.

This exploit is the "CFB gadget" attack method of the vulnerability referred to as "EFAIL".


2) Input validation error (CVE-ID: CVE-2019-10732)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.


Remediation

Install update from vendor's website.

References