group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1631237] Re: KMail: HTML injection in plain text viewer

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Tue, 11 Oct 2016 13:34:13 -0000
Reply-to: Bug 1631237 <1631237@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

ACK on the debdiff in comment #1, thanks!

Package is building now and will be released later today.

** Changed in: kdepimlibs (Ubuntu Xenial)
       Status: New => Invalid

** Changed in: kdepimlibs (Ubuntu Yakkety)
       Status: New => Invalid

** Changed in: kdepimlibs (Ubuntu Precise)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1631237

Title:
  KMail: HTML injection in plain text viewer

Status in kdepimlibs package in Ubuntu:
  Invalid
Status in kdepimlibs source package in Precise:
  Confirmed
Status in kdepimlibs source package in Trusty:
  Confirmed
Status in kdepimlibs source package in Xenial:
  Invalid
Status in kdepimlibs source package in Yakkety:
  Invalid

Bug description:
  Through a malicious URL that contained a quote character it
  was possible to inject HTML code in KMail's plain text viewer.
  Due to the parser used on the URL it was not possible to include
  the equal sign (=) or a space into the injected HTML, which greatly
  reduces the available HTML functionality. Although it is possible
  to include an HTML comment indicator to hide content.

  Note: Affected package is kdepimlibs in 12.04 - 15.04 and it looks
  like both kcoreaddons and messagecomposer in later releases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1631237/+subscriptions