group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Wed, 12 Oct 2016 11:47:34 -0000
Reply-to: Bug 1630700 <1630700@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Unsubscribing ubuntu-security-sponsors for now since there is nothing to
sponsor. Once a debdiff is attached, please re-subscribe the group.
Thanks!

** Changed in: kcoreaddons (Ubuntu Trusty)
       Status: New => Fix Released

** Changed in: kcoreaddons (Ubuntu Precise)
       Status: In Progress => Invalid

** Changed in: kcoreaddons (Ubuntu Trusty)
       Status: Fix Released => Invalid

** Changed in: kcoreaddons (Ubuntu Xenial)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1630700

Title:
  CVE - KMail - HTML injection in plain text viewer

Status in kcoreaddons package in Ubuntu:
  Fix Released
Status in kcoreaddons source package in Precise:
  Invalid
Status in kcoreaddons source package in Trusty:
  Invalid
Status in kcoreaddons source package in Xenial:
  Confirmed
Status in kcoreaddons source package in Yakkety:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =============================

  Title:             KMail: HTML injection
  Risk Rating:  Important
  CVE:              #TODO
  Platforms:      All
  Versions:       kmail >= 4.4.0
  Author:         #TODO
  Date:            #TODO

  Overview
  ========

  Through a malicious URL that contained a quote character it
  was possible to inject HTML code in KMail's plain text viewer.
  Due to the parser used on the URL it was not possible to include
  the equal sign (=) or a space into the injected HTML, which greatly
  reduces the available HTML functionality. Although it is possible
  to include an HTML comment indicator to hide content.

  Impact
  ======

  An unauthenticated attacker can send out mails with malicious content
  that breaks KMail's plain text HTML escape logic. Due to the limitations
  of the provided HTML in itself it might not be serious. But as a way
  to break out of KMail's restricted Plain text mode this might open
  the way to the exploitation of other vulnerabilities in the HTML viewer
  code, which is disabled by default.

  Workaround
  ==========

  None.

  Solution
  ========

  For KDE Frameworks based releases of KMail apply the following patch to
  kcoreaddons:

  https://quickgit.kde.org/?
  p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12

  For KDE 4 apply the following patch:
  https://quickgit.kde.org/?
  p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf

  Credits
  =======

  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing the problems and Laurent Montel for
  fixing this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions