Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717928 (CVE-2020-11880)

Summary: <kde-apps/kmail-19.12.3: Possible disclosure of local files by attachments (CVE-2020-11880)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://cgit.kde.org/kmail.git/commit/?id=2a348eccd352260f192d9b449492071bbf2b34b1
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 18:03:44 UTC 
Description:
"An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value."

----
Tree is already clean.
Comment 1 Andreas Sturmlechner gentoo-dev 2020-04-30 18:57:56 UTC 
kde proj has nothing to do here, I guess.