Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 933344

Summary: <kde-apps/konqueror-23.08.5-r1: HTML Thumbnailer automatic remote file access
Product: Gentoo Security Reporter: Andreas Sturmlechner <asturm>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://kde.org/info/security/advisory-20240423-1.txt
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 933341    
Bug Blocks:    

Description Andreas Sturmlechner gentoo-dev 2024-06-01 07:19:32 UTC 
Overview
========
Various KDE applications share a plugin system to create thumbnails
of various file types for displaying in file managers, file dialogs, etc.

konqueror contains a thumbnailer plugin for HTML files.

The konqueror HTML thumbnailer was incorrectly accessing some content of
remote URLs listed in HTML files. This meant that the owners of the servers
referred in HTML files in your system could have seen in their access logs
your IP address every time the thumbnailer tried to create the thumbnail.

The HTML thumbnailer using Qt6 is fixed and does not access remote URLs anymore.

Workaround
==========
Remove the HTML Thumbnailer plugin from your system.
The file name is webarchivethumbnail.so and should be in your Qt plugin path.
The Qt plugin path can be queried with
    qmake -query QT_INSTALL_PLUGINS

Solution
========
Update to a konqueror version using Qt6
Comment 1 Larry the Git Cow gentoo-dev 2024-06-01 09:21:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a5d43a7ec0ab0b7fd63b79e876625e2f0edfc3d

commit 4a5d43a7ec0ab0b7fd63b79e876625e2f0edfc3d
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-06-01 09:20:57 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-06-01 09:21:29 +0000

    kde-apps/konqueror: Disable build of webarchive thumbnailer plugin
    
    Bug: https://bugs.gentoo.org/933344
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/konqueror/konqueror-23.08.5-r1.ebuild | 90 ++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-06-13 17:40:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8010f5b858f4558bcc3a777715e2622283103363

commit 8010f5b858f4558bcc3a777715e2622283103363
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-06-13 17:39:28 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-06-13 17:39:28 +0000

    kde-apps/konqueror: drop 23.08.5
    
    Bug: https://bugs.gentoo.org/933344
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/konqueror/konqueror-23.08.5.ebuild | 87 -----------------------------
 1 file changed, 87 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2024-06-13 17:40:52 UTC 
Cleanup done, kde proj out.