From $URL: KDE Project Security Advisory ============================= Title: messagelib: HTML email can open browser window automatically Risk Rating: Low CVE: CVE-2018-19516 Versions: KDE Applications < 18.12.0 Date: 28 November 2018 Overview ======== messagelib is the library used by KMail to display emails. messagelib by default displays emails as plain text, but gives the user an option to "Prefer HTML to plain text" in the settings and if that option is not enabled there is way to enable HTML display when an email contains HTML. Some HTML emails can trick messagelib into opening a new browser window when displaying said email as HTML. This happens even if the option to allow the HTML emails to access remote servers is disabled in KMail settings. This means that the owners of the servers referred in the email can see in their access logs your IP address. Workaround ========== Do not enable "Prefer HTML to plain text" in KMail settings. Solution ======== Update to KDE Applications >= 18.12.0 Or apply the following patch: https://cgit.kde.org/messagelib.git/commit/?id=34765909cdf8e55402a8567b48fb288839c61612 Credits ======= Thanks to Jany Belluz for the report and to Laurent Montel for the fix.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b7826b1c6186fe0dea304ff3108cf9610210925 commit 4b7826b1c6186fe0dea304ff3108cf9610210925 Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2018-12-01 02:37:24 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2018-12-01 02:37:58 +0000 kde-apps/messagelib: revision bump resolving CVE-2018-19516 Bug: https://bugs.gentoo.org/672312 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Michael Palimaka <kensington@gentoo.org> .../files/messagelib-18.04.3-CVE-2018-19516.patch | 17 +++++ .../files/messagelib-18.08.3-CVE-2018-19516.patch | 29 +++++++++ kde-apps/messagelib/messagelib-18.04.3-r1.ebuild | 72 +++++++++++++++++++++ kde-apps/messagelib/messagelib-18.08.3-r2.ebuild | 74 ++++++++++++++++++++++ 4 files changed, 192 insertions(+)
For stable, this is fixed in kde-apps/mesagelib-18.04.3-r1. For unstable, this is fixed in 18.08.3-r2. Arch teams, please test and stabilise kde-apps/mesagelib-18.04.3-r1.
An automated check of this bug failed - the following atom is unknown: kde-apps/mesagelib-18.04.3-r1 Please verify the atom list.
An automated check of this bug succeeded - the previous repoman errors are now resolved.
- 18.08.3-r2 was stabilised in bug 670862 - Security cleanup done in commit beb6ed08d4fbd0d732510a629faf8faeefb49f01
(In reply to Andreas Sturmlechner from comment #5) > - 18.08.3-r2 was stabilised in bug 670862 > - Security cleanup done in commit beb6ed08d4fbd0d732510a629faf8faeefb49f01 thanks