Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596228 (CVE-2016-7968) - <kde-apps/messagelib-16.08.2 - JavaScript execution in HTML Mails (CVE-2016-7968)
Summary: <kde-apps/messagelib-16.08.2 - JavaScript execution in HTML Mails (CVE-2016-7...
Alias: CVE-2016-7968
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa]
Depends on:
Blocks: 596214
  Show dependency tree
Reported: 2016-10-05 10:44 UTC by Michael Palimaka (kensington)
Modified: 2016-10-20 23:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Palimaka (kensington) gentoo-dev 2016-10-05 10:44:14 UTC
KDE Project Security Advisory

Title:          KMail: JavaScript execution in HTML Mails
Risk Rating:    Normal
CVE:            #TODO
Platforms:      All
Versions:       kmail 5.3.0
Author:         #TODO
Date:            # TODO


KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. HTML Mail contents were not sanitized for 
JavaScript and included code was executed.


An unauthenticated attacker can send out mails with Javascript to manipulate 
the display of messages. The JavaScript executed might be used as an entry 
point for further exploits.


Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.


The full solution disables JavaScript in the Mailviewer of KMail. This 
requires API introduced in Qt 5.7.0 so KMail needs to be built with
Qt 5.7.0 and the following patch:

For versions previous to 5.7.0 the following patches partly sanitize mails but 
still make it possible to inject code:


Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2016-10-07 16:00:32 UTC
It's going to be difficult to backport the fix for this cleanly, so I will wait for 16.08.2 which is due in a few days (note that this package is currently masked).
Comment 2 Michael Palimaka (kensington) gentoo-dev 2016-10-19 18:05:46 UTC
Fixed version is in the tree and old one removed. No stabilisation is required as this package has never yet been stabilised.