KMail: HTML injection in plain text viewer
Bug #1631237 reported by
Scott Kitterman
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kdepimlibs (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Fix Released
|
High
|
Unassigned |
Bug Description
Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.
Note: Affected package is kdepimlibs in 12.04 - 15.04 and it looks like both kcoreaddons and messagecomposer in later releases.
CVE References
Changed in kdepimlibs (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in kdepimlibs (Ubuntu Yakkety): | |
status: | Confirmed → New |
Changed in kdepimlibs (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in kdepimlibs (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in kdepimlibs (Ubuntu Precise): | |
status: | Confirmed → Fix Released |
Changed in kdepimlibs (Ubuntu Yakkety): | |
status: | Invalid → Fix Released |
To post a comment you must log in.
This is a direct backport of the upstream commit and it applies cleanly.
I built the package in a clean trusty chroot and installed it on an up to date Trusty system.
Kmail appears to be working correctly. I do not have a reproducer for this, so I can't validate that the fix works (since it's the upstream fix, I don't think that's too concerning), but it does appear to be regression free.