Ubuntu

kmail/kontact message viewer incorrectly defaults to having JavaScript, Java, and Plugins enabled

Reported by Scott Kitterman on 2012-07-09
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kdepim (Ubuntu)
High
Scott Kitterman
Oneiric
High
Marc Deslauriers
Precise
High
Marc Deslauriers
Quantal
High
Scott Kitterman

Bug Description

Upstream has somewhat cryptically suggested applying the upstream patch in http://commits.kde.org/kdepim/dbb2f72f4745e00f53031965a9c10b2d6862bd54 as a security fix. No CVE AFAIK.

It appears to apply to kdepim 4.7 (oneiric), 4.8 (precise), and to be 4.9 (quantal).

diff --git a/messageviewer/htmlquotecolorer.cpp
b/messageviewer/htmlquotecolorer.cpp
index b54e989..67c3062 100644
--- a/messageviewer/htmlquotecolorer.cpp
+++ b/messageviewer/htmlquotecolorer.cpp
@@ -40,6 +40,10 @@ QString HTMLQuoteColorer::process( const QString
&htmlSource )
 #ifndef KDEPIM_NO_WEBKIT
   // Create a DOM Document from the HTML source
   QWebPage page(0);
+ page.settings()->setAttribute( QWebSettings::JavascriptEnabled, false );
+ page.settings()->setAttribute( QWebSettings::JavaEnabled, false );
+ page.settings()->setAttribute( QWebSettings::PluginsEnabled, false );
+
   QWebFrame *frame = page.mainFrame();
   frame->setHtml( htmlSource );

security vulnerability: no → yes
Changed in kdepim (Ubuntu Quantal):
assignee: nobody → Scott Kitterman (kitterman)
importance: Undecided → High
status: New → In Progress
Changed in kdepim (Ubuntu Precise):
assignee: nobody → Scott Kitterman (kitterman)
importance: Undecided → High
status: New → In Progress
milestone: none → ubuntu-12.04.1
Changed in kdepim (Ubuntu Quantal):
milestone: none → quantal-alpha-3
Changed in kdepim (Ubuntu Oneiric):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Scott Kitterman (kitterman)
milestone: none → oneiric-updates
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdepim - 4:4.8.90-0ubuntu2

---------------
kdepim (4:4.8.90-0ubuntu2) quantal; urgency=low

  * Fix for upstream security issue, will be in the RC (LP: #1022690)
 -- Scott Kitterman <email address hidden> Mon, 09 Jul 2012 15:31:47 -0400

Changed in kdepim (Ubuntu Quantal):
status: In Progress → Fix Released
Scott Kitterman (kitterman) wrote :

debdiff for oneiric. Untested, but patch is trivial and the code is identical to the upstream commit for 4.8/4.9.

Scott Kitterman (kitterman) wrote :

Debdiff for precise. I have run this patch locally and I don't see any problems. Since it's not clear exactly what this is supposed to protect from, I can't verify if it does.

Changed in kdepim (Ubuntu Oneiric):
status: In Progress → Confirmed
Changed in kdepim (Ubuntu Precise):
status: In Progress → Confirmed
Changed in kdepim (Ubuntu Oneiric):
assignee: Scott Kitterman (kitterman) → nobody
Changed in kdepim (Ubuntu Precise):
assignee: Scott Kitterman (kitterman) → nobody
Scott Kitterman (kitterman) wrote :

Setting to Confirmed/unassigning myself per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue. I think these are ready for upload.

Scott Kitterman (kitterman) wrote :

I got more information on this today:

On Thursday, July 12, 2012 02:51:28 PM David Faure <...@kde.org> wrote:
> On Saturday 07 July 2012 11:36:10 Scott Kitterman wrote:
> > Would it be possible to get a sentence or two on what the vulnerability
> > was
> > that this fixed (the commit message isn't particularly helpful)?
>
> We found that javascript and external images were loaded (and interpreted
> (the JS, not the images)) while rendering HTML emails in kmail.
>
> > Is there a CVE number?
>
> No. I sent the patch to <email address hidden>, but I have no idea about the
> process to get a CVE number.
>
> I also don't know how much damage this can really do, in any case.

Based on that, I can verify the fix works correctly for Precise (and since it's the same code, I'm sure it will for oneiric too).

Changed in kdepim (Ubuntu Oneiric):
status: Confirmed → Triaged
Changed in kdepim (Ubuntu Precise):
status: Confirmed → Triaged
Changed in kdepim (Ubuntu Oneiric):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in kdepim (Ubuntu Precise):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in kdepim (Ubuntu Oneiric):
assignee: Ubuntu Security Team (ubuntu-security) → Marc Deslauriers (mdeslaur)
Changed in kdepim (Ubuntu Precise):
assignee: Ubuntu Security Team (ubuntu-security) → Marc Deslauriers (mdeslaur)

Hello Scott, or anyone else affected,

Accepted kdepim into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/kdepim/4:4.8.4a-0ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in kdepim (Ubuntu Precise):
status: Triaged → Fix Committed
tags: added: verification-needed
Changed in kdepim (Ubuntu Oneiric):
status: Triaged → Fix Committed
Adam Conrad (adconrad) wrote :

Hello Scott, or anyone else affected,

Accepted kdepim into oneiric-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/kdepim/4:4.7.4+git111222-0ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in kdepim (Ubuntu Oneiric):
status: Fix Committed → Triaged
Changed in kdepim (Ubuntu Precise):
status: Fix Committed → Triaged
Adam Conrad (adconrad) wrote :

Resetting bug statuses to triaged, since the -security uploads haven't happened yet, only the -proposed ones. Quel fun.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdepim - 4:4.8.4a-0ubuntu0.3

---------------
kdepim (4:4.8.4a-0ubuntu0.3) precise-security; urgency=high

  * SECURITY UPDATE: Disable JavaScript, Java, and Plugins by default in
    kmail/kontact messageviewer's quote colorer (LP: #1022690)
    - Upstream Git dbb2f72f4745e00f53031965a9c10b2d6862bd54
    - CVE-2012-3413
 -- Scott Kitterman <email address hidden> Wed, 18 Jul 2012 09:08:14 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdepim - 4:4.7.4+git111222-0ubuntu0.3

---------------
kdepim (4:4.7.4+git111222-0ubuntu0.3) oneiric-security; urgency=high

  * SECURITY UPDATE: Disable JavaScript, Java, and Plugins by default in
    kmail/kontact messageviewer's quote colorer (LP: #1022690)
    - Upstream Git dbb2f72f4745e00f53031965a9c10b2d6862bd54
    - CVE-2012-3413
 -- Scott Kitterman <email address hidden> Wed, 18 Jul 2012 09:08:14 -0400

Changed in kdepim (Ubuntu Oneiric):
status: Triaged → Fix Released
Changed in kdepim (Ubuntu Precise):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers