Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717928 (CVE-2020-11880) - <kde-apps/kmail-19.12.3: Possible disclosure of local files by attachments (CVE-2020-11880)
Summary: <kde-apps/kmail-19.12.3: Possible disclosure of local files by attachments (C...
Status: RESOLVED FIXED
Alias: CVE-2020-11880
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://cgit.kde.org/kmail.git/commit...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-17 18:03 UTC by Sam James
Modified: 2020-05-03 23:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 18:03:44 UTC
Description:
"An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value."

----
Tree is already clean.
Comment 1 Andreas Sturmlechner gentoo-dev 2020-04-30 18:57:56 UTC
kde proj has nothing to do here, I guess.