[CVE] KMail - JavaScript access to local and remote URLs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kf5-messagelib (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Zesty |
Invalid
|
Undecided
|
Unassigned |
Bug Description
KDE Project Security Advisory
=======
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <email address hidden>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local
URLs was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to remote URLs or change the contents of local files in malicious ways. The
code is executed when when viewing HTML the mails.
Combined with CVE-2016-7966 the code could also be executed when viewing
plain text mails.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https:/
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.
==== This bug also aims to fix: ====
KDE Project Security Advisory
=======
Title: KMail: JavaScript execution in HTML Mails
Risk Rating: Normal
CVE: CVE-2016-7968
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <email address hidden>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.
Impact
======
An unauthenticated attacker can send out mails with Javascript to manipulate
the display of messages. The JavaScript executed might be used as an entry
point for further exploits.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
The full solution disables JavaScript in the Mailviewer of KMail. This
requires API introduced in Qt 5.7.0 so KMail needs to be built with
Qt 5.7.0 and the following patch:
https:/
For versions previous to 5.7.0 the following patches partly sanitize mails
but still make it possible to inject code:
https:/
https:/
https:/
https:/
https:/
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.
Changed in ubuntu: | |
status: | New → Triaged |
assignee: | nobody → Simon Quigley (tsimonq2) |
information type: | Private Security → Public Security |
description: | updated |
description: | updated |
description: | updated |
Changed in kf5-messagelib (Ubuntu Zesty): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
status: | New → In Progress |
description: | updated |
description: | updated |
summary: |
- CVE - KMail - JavaScript access to local and remote URLs + [CVE] KMail - JavaScript access to local and remote URLs |
description: | updated |
Changed in kf5-messagelib (Ubuntu Zesty): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
Changed in kf5-messagelib (Ubuntu): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
We looked through the logs, and this doesn't affect us at the moment, but it *will* affect us if we upload 16.08.1.