CVE-2021-31855: 
NixOS vulnerability analysis and mitigation

KDE Messagelib through version 5.17.0 contains a security vulnerability (CVE-2021-31855) that reveals cleartext of encrypted messages in specific situations. The vulnerability was discovered and disclosed on April 29, 2021, affecting KMail and the messagelib component. When a user deletes an attachment from a decrypted encrypted message stored on a remote server (such as an IMAP server), KMail uploads the decrypted content of the message to the remote server (KDE Advisory).

The vulnerability exists in the ViewerPrivate::deleteAttachment function in messageviewer/src/viewer/viewer_p.cpp. When deleting an attachment, the code incorrectly uses the decrypted message content instead of the original encrypted content when uploading the modified message back to the server. This implementation flaw causes the exposure of decrypted content that should remain encrypted (GitHub Commit). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

If exploited, an attacker with access to the email server could read the decrypted content of encrypted messages. The attack scenario involves tricking a user into first decrypting an encrypted message and then deleting an attachment from that message. The decrypted content would then be exposed on the email server, compromising the confidentiality of the encrypted communication (KDE Advisory).

As a temporary workaround, users are advised not to delete attachments from encrypted messages. The permanent fix is available in messagelib version 5.17.1 and later. Alternatively, users can apply the patch provided in the KDE commit 3b5b171e91ce78b966c98b1292a1bcbc8d984799 (KDE Advisory).