Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596228 (CVE-2016-7968) - <kde-apps/messagelib-16.08.2 - JavaScript execution in HTML Mails (CVE-2016-7968)
Summary: <kde-apps/messagelib-16.08.2 - JavaScript execution in HTML Mails (CVE-2016-7...
Status: RESOLVED FIXED
Alias: CVE-2016-7968
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.kde.org/info/security/adv...
Whiteboard: B2 [noglsa]
Keywords:
Depends on:
Blocks: 596214
  Show dependency tree
 
Reported: 2016-10-05 10:44 UTC by Michael Palimaka (kensington)
Modified: 2016-10-20 23:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Palimaka (kensington) gentoo-dev 2016-10-05 10:44:14 UTC 
KDE Project Security Advisory
=============================

Title:          KMail: JavaScript execution in HTML Mails
Risk Rating:    Normal
CVE:            #TODO
Platforms:      All
Versions:       kmail 5.3.0
Author:         #TODO
Date:            # TODO

Overview
========

KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. HTML Mail contents were not sanitized for 
JavaScript and included code was executed.

Impact
======

An unauthenticated attacker can send out mails with Javascript to manipulate 
the display of messages. The JavaScript executed might be used as an entry 
point for further exploits.

Workaround
==========

Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.

Solution
========

The full solution disables JavaScript in the Mailviewer of KMail. This 
requires API introduced in Qt 5.7.0 so KMail needs to be built with
Qt 5.7.0 and the following patch:

https://quickgit.kde.org/?
p=messagelib.git&a=commitdiff&h=f601f9ffb706f7d3a5893b04f067a1f75da62c99

For versions previous to 5.7.0 the following patches partly sanitize mails but 
still make it possible to inject code:
https://quickgit.kde.org/?
p=messagelib.git&a=commitdiff&h=3503b75e9c79c3861e182588a0737baf165abd23
https://quickgit.kde.org/?
p=messagelib.git&a=commitdiff&h=a8744798dfdf8e41dd6a378e48662c66302b0019
https://quickgit.kde.org/?
p=messagelib.git&a=commitdiff&h=77976584a4ed2797437a2423704abdd7ece7834a
https://quickgit.kde.org/?
p=messagelib.git&a=commitdiff&h=fb1be09360c812d24355076da544030a67b736fc
https://quickgit.kde.org/?
p=messagelib.git&a=commitdiff&h=0402c17a8ead92188971cb604d905b3072d56a73

Credits
=======

Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2016-10-07 16:00:32 UTC 
It's going to be difficult to backport the fix for this cleanly, so I will wait for 16.08.2 which is due in a few days (note that this package is currently masked).
Comment 2 Michael Palimaka (kensington) gentoo-dev 2016-10-19 18:05:46 UTC 
Fixed version is in the tree and old one removed. No stabilisation is required as this package has never yet been stabilised.