USN-7730-1: PIM Messagelib vulnerabilities
Publication date
2 September 2025
Overview
Several security issues were fixed in PIM Messagelib.
Releases
Packages
- kf5-messagelib - KDE PIM messaging library
Details
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,
Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg
Schwenk discovered that PIM Messagelib could be made to leak the plaintext
of S/MIME encrypted emails when retrieving external content in emails.
Under certain configurations, if a user were tricked into opening a
specially crafted email using an application linked against PIM Messagelib,
an attacker could possibly use this issue to obtain the plaintext of an
encrypted email. This update mitigates the issue by preventing automatic
loading of external content. (CVE-2017-17689)
Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel,
and Jörg Schwenk discovered that PIM Messagelib could be made to leak the
plaintext of S/MIME or PGP encrypted emails. If a user were tricked into
replying to a specially crafted email using an application...
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,
Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg
Schwenk discovered that PIM Messagelib could be made to leak the plaintext
of S/MIME encrypted emails when retrieving external content in emails.
Under certain configurations, if a user were tricked into opening a
specially crafted email using an application linked against PIM Messagelib,
an attacker could possibly use this issue to obtain the plaintext of an
encrypted email. This update mitigates the issue by preventing automatic
loading of external content. (CVE-2017-17689)
Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel,
and Jörg Schwenk discovered that PIM Messagelib could be made to leak the
plaintext of S/MIME or PGP encrypted emails. If a user were tricked into
replying to a specially crafted email using an application linked
against PIM Messagelib, an attacker could possibly use this issue to obtain
the plaintext of an encrypted email. (CVE-2019-10732)
Update instructions
After a standard system update you need to restart any applications which use PIM Messagelib, such as KMail, to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 18.04 bionic | libkf5messageviewer5abi4 – 4:17.12.3-0ubuntu3+esm1 | ||
| libkf5mimetreeparser5abi2 – 4:17.12.3-0ubuntu3+esm1 | |||
| libkf5templateparser5abi2 – 4:17.12.3-0ubuntu3+esm1 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.