Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596224 (CVE-2016-7966) - <kde-apps/kdepimlibs-{4.14.10-r2,4.14.11_pre20160211-r2}, <kde-frameworks/kcoreaddons-5.26.0-r2: HTML injection in plain text viewer
Summary: <kde-apps/kdepimlibs-{4.14.10-r2,4.14.11_pre20160211-r2}, <kde-frameworks/kco...
Status: RESOLVED FIXED
Alias: CVE-2016-7966
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.kde.org/info/security/adv...
Whiteboard: A4 [noglsa]
Keywords:
Depends on: 596282
Blocks: 596214
  Show dependency tree
 
Reported: 2016-10-05 10:39 UTC by Michael Palimaka (kensington)
Modified: 2016-11-04 08:50 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Palimaka (kensington) gentoo-dev 2016-10-05 10:39:29 UTC
----------  Missatge reenviat  ----------

Assumpte: Draft: KMail - HTML injection in plain text viewer
Data: dimarts, 4 d’octubre de 2016, 11:28:46 CEST
De: Andre Heinecke <aheinecke@gnupg.org>
A: security@kde.org

Hi,

First about the HTML injection in the plain text viewer:
I think it might have been introduced by:
Kdepimlibs commit.
e52b9858e31c36b3372e67928b8e35a41d559f23

This would mean that versions since v4.4.0
are affected. But it may I have not confirmed that I have only tested with 
4.14 
and checked that enterprise 3.5 branch is not affected.

KDE Project Security Advisory
=============================

Title:             KMail: HTML injection
Risk Rating:  Important
CVE:              #TODO
Platforms:      All
Versions:       kmail >= 4.4.0
Author:         #TODO
Date:            #TODO

Overview
========

Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.

Impact
======

An unauthenticated attacker can send out mails with malicious content
that breaks KMail's plain text HTML escape logic. Due to the limitations
of the provided HTML in itself it might not be serious. But as a way
to break out of KMail's restricted Plain text mode this might open
the way to the exploitation of other vulnerabilities in the HTML viewer
code, which is disabled by default.

Workaround
==========

None.

Solution
========

For KDE Frameworks based releases of KMail apply the following patch to 
kcoreaddons:

https://quickgit.kde.org/?
p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12

For KDE 4 apply the following patch:
https://quickgit.kde.org/?
p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf

Credits
=======

Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing the problems and Laurent Montel for
fixing this issue.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2016-10-06 18:34:05 UTC
Arch teams, please test and stabilise:

kde-apps/kdepimlibs-4.14.10-r1
kde-apps/kdepimlibs-4.14.11_pre20160211-r1

Target KEYWORDS="amd64 x86".

kde-frameworks/kcoreaddons is fixed in 5.26.0-r1, however that will he handled separately in bug #596282.
Comment 2 Agostino Sarubbo gentoo-dev 2016-10-07 09:38:41 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-10-07 09:39:09 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2016-10-07 15:55:47 UTC
Cleanup is done for kde-apps/kdepimlibs, I will wait a few days to clean up old kde-frameworks/kcoreaddons since this requires also cleaning up all related kde-frameworks packages and 5.26 is only just going stable.
Comment 5 Michael Palimaka (kensington) gentoo-dev 2016-10-12 17:32:16 UTC
Cleanup complete.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-10-13 03:08:08 UTC
GLSA Vote: No
Comment 7 Michael Palimaka (kensington) gentoo-dev 2016-11-02 11:23:46 UTC
Upstream has advised that the previously-announced fixes were insufficient.
Comment 8 Michael Palimaka (kensington) gentoo-dev 2016-11-02 12:07:40 UTC
Arch teams, please test and stabilise:

kde-frameworks/kcoreaddons-5.26.0-r2
kde-apps/kdepimlibs-4.14.10-r2
kde-apps/kdepimlibs-4.14.11_pre20160211-r2

This also affected kde-frameworks/kcoreaddons-5.27.0 (testing) and is fixed in -r1.
Comment 9 Agostino Sarubbo gentoo-dev 2016-11-04 08:21:16 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-11-04 08:24:35 UTC
x86 stable.

Maintainer(s), please cleanup.