[CVE] KMail - HTML injection in plain text viewer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kcoreaddons (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Yakkety |
Fix Released
|
High
|
Unassigned | ||
kdepimlibs (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
KDE Project Security Advisory
=======
Title: KMail: HTML injection in plain text viewer
Risk Rating: Important
CVE: CVE-2016-7966
Platforms: All
Versions: kmail >= 4.4.0
Author: Andre Heinecke <email address hidden>
Date: 6 October 2016
Overview
========
Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.
Impact
======
An unauthenticated attacker can send out mails with malicious content
that breaks KMail's plain text HTML escape logic. Due to the limitations
of the provided HTML in itself it might not be serious. But as a way
to break out of KMail's restricted Plain text mode this might open
the way to the exploitation of other vulnerabilities in the HTML viewer
code, which is disabled by default.
Workaround
==========
None.
Solution
========
For KDE Frameworks based releases of KMail apply the following patch to
kcoreaddons:
https:/
For kdelibs4 based releases apply the following patch:
https:/
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing the problems and Laurent Montel for
fixing this issue.
Updated Information (1 November 2016)
=======
The above mentioned patches are not enough to fix the vulnerability completely.
This wasn't visible, because the patches for CVE-2016-7967 and CVE-2016-7968 made sure,
that this vulnerability can't harm anymore.
It only became visible, that this vulnerability isn't closed completely for systems,
that are only affected by this CVE.
For KCoreAddons you need:
https:/
for applying this patch you may also need to cherry-pick:
https:/
(these two are released in KCoreAddons KDE Frameworks 5.27.0)
additionally git commits, to close completely:
https:/
not needed in the strong sense, but this will give you the additional automatic tests, to test if this CVE is closed:
https:/
(will be part of KCoreAddons KDE Frameworks 5.28.0)
For kdepimlibs 4.14:
https:/
https:/
kdepimlibs is at end of life, so no further release is planned.
CVE References
Changed in ubuntu: | |
assignee: | nobody → Simon Quigley (tsimonq2) |
status: | New → In Progress |
Changed in ubuntu: | |
assignee: | Simon Quigley (tsimonq2) → nobody |
status: | In Progress → Invalid |
no longer affects: | kcoreaddons (Ubuntu) |
affects: | ubuntu → kcoreaddons (Ubuntu) |
Changed in kcoreaddons (Ubuntu): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
status: | Invalid → In Progress |
Changed in kcoreaddons (Ubuntu): | |
importance: | Critical → High |
Changed in kcoreaddons (Ubuntu Yakkety): | |
assignee: | Simon Quigley (tsimonq2) → Clive Johnston (clivejo) |
Changed in kcoreaddons (Ubuntu Precise): | |
status: | New → In Progress |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in kcoreaddons (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in kcoreaddons (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in kcoreaddons (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in kcoreaddons (Ubuntu Trusty): | |
status: | Invalid → Fix Released |
Changed in kcoreaddons (Ubuntu Xenial): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
status: | Confirmed → In Progress |
description: | updated |
no longer affects: | kdepimlibs (Ubuntu Precise) |
Changed in kdepimlibs (Ubuntu Trusty): | |
status: | New → In Progress |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in kdepimlibs (Ubuntu): | |
status: | New → Fix Released |
no longer affects: | kdepimlibs (Ubuntu Xenial) |
no longer affects: | kdepimlibs (Ubuntu Yakkety) |
summary: |
- CVE - KMail - HTML injection in plain text viewer + [CVE] KMail - HTML injection in plain text viewer |
Changed in kcoreaddons (Ubuntu Precise): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
Changed in kcoreaddons (Ubuntu Xenial): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
Changed in kdepimlibs (Ubuntu Trusty): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
At the moment, we (being Rik, Clive, and myself) believe that this affects Yakkety, Xenial, Trusty, and Precise. I'll work on some patches for each release.