Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 425388 (CVE-2012-3413) - <kde-base/kdepim-common-libs-4.8.3-r1, <kde-base/kmail-4.8.3-r1: KDEPIM 4.8 javascript handling vulnerability (CVE-2012-3413)
Summary: <kde-base/kdepim-common-libs-4.8.3-r1, <kde-base/kmail-4.8.3-r1: KDEPIM 4.8 j...
Status: RESOLVED FIXED
Alias: CVE-2012-3413
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-08 22:30 UTC by Andreas K. Hüttel
Modified: 2012-08-11 16:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas K. Hüttel archtester gentoo-dev 2012-07-08 22:30:29 UTC 
According to an announcement on closed list kde-packager, a javascript-related vulnerability has been fixed in KDEPIM. See below for the e-mail text; very recent, so no ID's or official advisories yet. Fixed ebuilds will be committed in a few moments (making bug first so I have the bug number for reference).

----------------------------------------

During akademy we found a security problem.
Please add this patch to your package.
Thanks


----------  Message transmis  ----------

Sujet : [kdepim/KDE/4.8] messageviewer: Security fix found by David yesterday 
during debug
Date : lundi 2 juillet 2012, 08:32:49
De : Montel Laurent <montel@kde.org>
To: kde-commits@kde.org

Git commit dbb2f72f4745e00f53031965a9c10b2d6862bd54 by Montel Laurent.
Committed on 02/07/2012 at 07:00.
Pushed by mlaurent into branch 'KDE/4.8'.

Security fix found by David yesterday during debug
(cherry picked from commit b6a46407d83ad9368a9825c687fa44e660f7104a)

M  +4    -0    messageviewer/htmlquotecolorer.cpp

http://commits.kde.org/kdepim/dbb2f72f4745e00f53031965a9c10b2d6862bd54

diff --git a/messageviewer/htmlquotecolorer.cpp 
b/messageviewer/htmlquotecolorer.cpp
index b54e989..67c3062 100644
--- a/messageviewer/htmlquotecolorer.cpp
+++ b/messageviewer/htmlquotecolorer.cpp
@@ -40,6 +40,10 @@ QString HTMLQuoteColorer::process( const QString 
&htmlSource )
 #ifndef KDEPIM_NO_WEBKIT
   // Create a DOM Document from the HTML source
   QWebPage page(0);
+  page.settings()->setAttribute( QWebSettings::JavascriptEnabled, false );
+  page.settings()->setAttribute( QWebSettings::JavaEnabled, false );
+  page.settings()->setAttribute( QWebSettings::PluginsEnabled, false );
+
   QWebFrame *frame = page.mainFrame();
   frame->setHtml( htmlSource );
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2012-07-08 22:43:37 UTC 
Is fixed in 
* kde-base/kdepim-common-libs-4.8.3-r1
* kde-base/kmail-4.8.3-r1
* kde-base/kdepim-common-libs-4.8.4-r1
* kde-base/kmail-4.8.4-r1

Arches (amd64, x86) please fast-stabilize the 4.8.3 variants:
* kde-base/kdepim-common-libs-4.8.3-r1
* kde-base/kmail-4.8.3-r1
Comment 2 Agostino Sarubbo gentoo-dev 2012-07-09 13:57:33 UTC 
done for amd64 and x86.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-11 23:16:42 UTC 
Thanks for the report, Andreas. Agostino, thank you for the stabilizing.

Andreas, do you know if KDE will make this issue public?
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-07-15 10:53:34 UTC 
The issue is public as per $URL.

GLSA vote: no
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-08-08 11:31:18 UTC 
CVE-2012-3413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3413):
  The HTMLQuoteColorer::process function in messageviewer/htmlquotecolorer.cpp
  in KDE PIM 4.6 through 4.8 does not disable JavaScript, Java, and Plugins,
  which allows remote attackers to inject arbitrary web script or HTML via a
  crafted email.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 16:46:39 UTC 
GLSA Vote: no too, closing noglsa.