KDE Project Security Advisory ============================= Title: KMail: JavaScript access to local and remote URLs Risk Rating: Critical CVE: #TODO Platforms: All Versions: kmail 5.3.0 Author: #TODO Date: # TODO Overview ======== KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. Impact ====== An unauthenticated attacker can send out mails with malicious content with executable JavaScript code that read or write local files and send them to remote URLs or change the contents of local files in malicous ways. The code is executed when when viewing HTML the mails. Combined with CVE #TODO this could . Workaround ========== Assuming a version with CVE #TODO fixed a user is protected from this by only viewing plain text mails. Solution ======== For KMail apply the following patch: https://quickgit.kde.org/? p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 Credits ======= Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing and the problems and reviewing the fix and Laurent Montel for fixing the issues.
It's going to be difficult to backport the fix for this cleanly, so I will wait for 16.08.2 which is due in a few days (note that this package is currently masked).
Fixed version is in the tree and old one removed. No stabilisation is required as this package has never yet been stabilised.