KMail: HTML injection in plain text viewer

Bug #1631237 reported by Scott Kitterman
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kdepimlibs (Ubuntu)
Invalid
High
Unassigned
Precise
Fix Released
High
Unassigned
Trusty
Fix Released
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Fix Released
High
Unassigned

Bug Description

Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.

Note: Affected package is kdepimlibs in 12.04 - 15.04 and it looks like both kcoreaddons and messagecomposer in later releases.

CVE References

Revision history for this message
Scott Kitterman (kitterman) wrote :

This is a direct backport of the upstream commit and it applies cleanly.

I built the package in a clean trusty chroot and installed it on an up to date Trusty system.

Kmail appears to be working correctly. I do not have a reproducer for this, so I can't validate that the fix works (since it's the upstream fix, I don't think that's too concerning), but it does appear to be regression free.

Changed in kdepimlibs (Ubuntu):
status: Triaged → Confirmed
Changed in kdepimlibs (Ubuntu Trusty):
status: New → Confirmed
Changed in kdepimlibs (Ubuntu Trusty):
importance: Undecided → High
Changed in kdepimlibs (Ubuntu Yakkety):
status: Confirmed → New
Changed in kdepimlibs (Ubuntu Precise):
importance: Undecided → High
Changed in kdepimlibs (Ubuntu Xenial):
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #1, thanks!

Package is building now and will be released later today.

Changed in kdepimlibs (Ubuntu Xenial):
status: New → Invalid
Changed in kdepimlibs (Ubuntu Yakkety):
status: New → Invalid
Changed in kdepimlibs (Ubuntu Precise):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdepimlibs - 4:4.13.3-0ubuntu0.3

---------------
kdepimlibs (4:4.13.3-0ubuntu0.3) trusty-security; urgency=high

  * SECURITY UPDATE: KMail: HTML injection in plain text viewer
  * References (LP: #1631237)
  * CVE-2016-7966
  * Avoid transforming as a url in plain text mode when there is a quote
  * Add debian/patches/CVE-2016-7966.diff from upstream

 -- Scott Kitterman <email address hidden> Thu, 06 Oct 2016 23:50:44 -0400

Changed in kdepimlibs (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in kdepimlibs (Ubuntu Precise):
status: Confirmed → Fix Released
Simon Quigley (tsimonq2)
Changed in kdepimlibs (Ubuntu Yakkety):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers