Summary: | <kde-base/kdepim-common-libs-4.8.3-r1, <kde-base/kmail-4.8.3-r1: KDEPIM 4.8 javascript handling vulnerability (CVE-2012-3413) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Andreas K. Hüttel <dilfridge> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ackle |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2012/07/13/3 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Andreas K. Hüttel
2012-07-08 22:30:29 UTC
Is fixed in * kde-base/kdepim-common-libs-4.8.3-r1 * kde-base/kmail-4.8.3-r1 * kde-base/kdepim-common-libs-4.8.4-r1 * kde-base/kmail-4.8.4-r1 Arches (amd64, x86) please fast-stabilize the 4.8.3 variants: * kde-base/kdepim-common-libs-4.8.3-r1 * kde-base/kmail-4.8.3-r1 done for amd64 and x86. Thanks for the report, Andreas. Agostino, thank you for the stabilizing. Andreas, do you know if KDE will make this issue public? The issue is public as per $URL. GLSA vote: no CVE-2012-3413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3413): The HTMLQuoteColorer::process function in messageviewer/htmlquotecolorer.cpp in KDE PIM 4.6 through 4.8 does not disable JavaScript, Java, and Plugins, which allows remote attackers to inject arbitrary web script or HTML via a crafted email. GLSA Vote: no too, closing noglsa. |