---------- Missatge reenviat ---------- Assumpte: Draft: KMail - HTML injection in plain text viewer Data: dimarts, 4 d’octubre de 2016, 11:28:46 CEST De: Andre Heinecke <aheinecke@gnupg.org> A: security@kde.org Hi, First about the HTML injection in the plain text viewer: I think it might have been introduced by: Kdepimlibs commit. e52b9858e31c36b3372e67928b8e35a41d559f23 This would mean that versions since v4.4.0 are affected. But it may I have not confirmed that I have only tested with 4.14 and checked that enterprise 3.5 branch is not affected. KDE Project Security Advisory ============================= Title: KMail: HTML injection Risk Rating: Important CVE: #TODO Platforms: All Versions: kmail >= 4.4.0 Author: #TODO Date: #TODO Overview ======== Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Impact ====== An unauthenticated attacker can send out mails with malicious content that breaks KMail's plain text HTML escape logic. Due to the limitations of the provided HTML in itself it might not be serious. But as a way to break out of KMail's restricted Plain text mode this might open the way to the exploitation of other vulnerabilities in the HTML viewer code, which is disabled by default. Workaround ========== None. Solution ======== For KDE Frameworks based releases of KMail apply the following patch to kcoreaddons: https://quickgit.kde.org/? p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12 For KDE 4 apply the following patch: https://quickgit.kde.org/? p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf Credits ======= Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing the problems and Laurent Montel for fixing this issue.
Arch teams, please test and stabilise: kde-apps/kdepimlibs-4.14.10-r1 kde-apps/kdepimlibs-4.14.11_pre20160211-r1 Target KEYWORDS="amd64 x86". kde-frameworks/kcoreaddons is fixed in 5.26.0-r1, however that will he handled separately in bug #596282.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup is done for kde-apps/kdepimlibs, I will wait a few days to clean up old kde-frameworks/kcoreaddons since this requires also cleaning up all related kde-frameworks packages and 5.26 is only just going stable.
Cleanup complete.
GLSA Vote: No
Upstream has advised that the previously-announced fixes were insufficient.
Arch teams, please test and stabilise: kde-frameworks/kcoreaddons-5.26.0-r2 kde-apps/kdepimlibs-4.14.10-r2 kde-apps/kdepimlibs-4.14.11_pre20160211-r2 This also affected kde-frameworks/kcoreaddons-5.27.0 (testing) and is fixed in -r1.
x86 stable. Maintainer(s), please cleanup.
Thanks. Cleanup done. Remove maintainer from cc. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7a6154791d723f7fcbf279d65c8bea98e6ad972 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9805f9685e3de42755d769ab31e73e30416cc1ef