According to an announcement on closed list kde-packager, a javascript-related vulnerability has been fixed in KDEPIM. See below for the e-mail text; very recent, so no ID's or official advisories yet. Fixed ebuilds will be committed in a few moments (making bug first so I have the bug number for reference). ---------------------------------------- During akademy we found a security problem. Please add this patch to your package. Thanks ---------- Message transmis ---------- Sujet : [kdepim/KDE/4.8] messageviewer: Security fix found by David yesterday during debug Date : lundi 2 juillet 2012, 08:32:49 De : Montel Laurent <montel@kde.org> To: kde-commits@kde.org Git commit dbb2f72f4745e00f53031965a9c10b2d6862bd54 by Montel Laurent. Committed on 02/07/2012 at 07:00. Pushed by mlaurent into branch 'KDE/4.8'. Security fix found by David yesterday during debug (cherry picked from commit b6a46407d83ad9368a9825c687fa44e660f7104a) M +4 -0 messageviewer/htmlquotecolorer.cpp http://commits.kde.org/kdepim/dbb2f72f4745e00f53031965a9c10b2d6862bd54 diff --git a/messageviewer/htmlquotecolorer.cpp b/messageviewer/htmlquotecolorer.cpp index b54e989..67c3062 100644 --- a/messageviewer/htmlquotecolorer.cpp +++ b/messageviewer/htmlquotecolorer.cpp @@ -40,6 +40,10 @@ QString HTMLQuoteColorer::process( const QString &htmlSource ) #ifndef KDEPIM_NO_WEBKIT // Create a DOM Document from the HTML source QWebPage page(0); + page.settings()->setAttribute( QWebSettings::JavascriptEnabled, false ); + page.settings()->setAttribute( QWebSettings::JavaEnabled, false ); + page.settings()->setAttribute( QWebSettings::PluginsEnabled, false ); + QWebFrame *frame = page.mainFrame(); frame->setHtml( htmlSource );
Is fixed in * kde-base/kdepim-common-libs-4.8.3-r1 * kde-base/kmail-4.8.3-r1 * kde-base/kdepim-common-libs-4.8.4-r1 * kde-base/kmail-4.8.4-r1 Arches (amd64, x86) please fast-stabilize the 4.8.3 variants: * kde-base/kdepim-common-libs-4.8.3-r1 * kde-base/kmail-4.8.3-r1
done for amd64 and x86.
Thanks for the report, Andreas. Agostino, thank you for the stabilizing. Andreas, do you know if KDE will make this issue public?
The issue is public as per $URL. GLSA vote: no
CVE-2012-3413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3413): The HTMLQuoteColorer::process function in messageviewer/htmlquotecolorer.cpp in KDE PIM 4.6 through 4.8 does not disable JavaScript, Java, and Plugins, which allows remote attackers to inject arbitrary web script or HTML via a crafted email.
GLSA Vote: no too, closing noglsa.