933344 – <kde-apps/konqueror-23.08.5-r1: HTML Thumbnailer automatic remote file access

Bug 933344 - <kde-apps/konqueror-23.08.5-r1: HTML Thumbnailer automatic remote file access

Summary: <kde-apps/konqueror-23.08.5-r1: HTML Thumbnailer automatic remote file access

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://kde.org/info/security/advisor...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:	933341
Blocks:
	Show dependency tree

Reported:	2024-06-01 07:19 UTC by Andreas Sturmlechner
Modified:	2024-06-18 05:47 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Sturmlechner gentoo-dev

2024-06-01 07:19:32 UTC

Overview
========
Various KDE applications share a plugin system to create thumbnails
of various file types for displaying in file managers, file dialogs, etc.

konqueror contains a thumbnailer plugin for HTML files.

The konqueror HTML thumbnailer was incorrectly accessing some content of
remote URLs listed in HTML files. This meant that the owners of the servers
referred in HTML files in your system could have seen in their access logs
your IP address every time the thumbnailer tried to create the thumbnail.

The HTML thumbnailer using Qt6 is fixed and does not access remote URLs anymore.

Workaround
==========
Remove the HTML Thumbnailer plugin from your system.
The file name is webarchivethumbnail.so and should be in your Qt plugin path.
The Qt plugin path can be queried with
    qmake -query QT_INSTALL_PLUGINS

Solution
========
Update to a konqueror version using Qt6

Comment 1 Larry the Git Cow gentoo-dev

2024-06-01 09:21:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a5d43a7ec0ab0b7fd63b79e876625e2f0edfc3d

commit 4a5d43a7ec0ab0b7fd63b79e876625e2f0edfc3d
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-06-01 09:20:57 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-06-01 09:21:29 +0000

    kde-apps/konqueror: Disable build of webarchive thumbnailer plugin
    
    Bug: https://bugs.gentoo.org/933344
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/konqueror/konqueror-23.08.5-r1.ebuild | 90 ++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-06-13 17:40:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8010f5b858f4558bcc3a777715e2622283103363

commit 8010f5b858f4558bcc3a777715e2622283103363
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-06-13 17:39:28 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-06-13 17:39:28 +0000

    kde-apps/konqueror: drop 23.08.5
    
    Bug: https://bugs.gentoo.org/933344
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/konqueror/konqueror-23.08.5.ebuild | 87 -----------------------------
 1 file changed, 87 deletions(-)

Comment 3 Andreas Sturmlechner gentoo-dev

2024-06-13 17:40:52 UTC

Cleanup done, kde proj out.