Ubuntu
kdepimlibs package

[CVE] KMail - HTML injection in plain text viewer

  1. Trusty (14.04)
  2. Bug #1630700
Bug #1630700 reported by Clive Johnston
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kcoreaddons (Ubuntu)
Fix Released
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Fix Released
High
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
Fix Released
High
Unassigned
kdepimlibs (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: KMail: HTML injection in plain text viewer
Risk Rating: Important
CVE: CVE-2016-7966
Platforms: All
Versions: kmail >= 4.4.0
Author: Andre Heinecke <email address hidden>
Date: 6 October 2016

Overview
========

Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.

Impact
======

An unauthenticated attacker can send out mails with malicious content
that breaks KMail's plain text HTML escape logic. Due to the limitations
of the provided HTML in itself it might not be serious. But as a way
to break out of KMail's restricted Plain text mode this might open
the way to the exploitation of other vulnerabilities in the HTML viewer
code, which is disabled by default.

Workaround
==========

None.

Solution
========

For KDE Frameworks based releases of KMail apply the following patch to
kcoreaddons:
https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12

For kdelibs4 based releases apply the following patch:
https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf

Credits
=======

Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing the problems and Laurent Montel for
fixing this issue.

Updated Information (1 November 2016)
=====================================

The above mentioned patches are not enough to fix the vulnerability completely.
This wasn't visible, because the patches for CVE-2016-7967 and CVE-2016-7968 made sure,
that this vulnerability can't harm anymore.
It only became visible, that this vulnerability isn't closed completely for systems,
that are only affected by this CVE.

For KCoreAddons you need:
 https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12
for applying this patch you may also need to cherry-pick:
 https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=1be7272373d60e4234f1a5584e676b579302b053
(these two are released in KCoreAddons KDE Frameworks 5.27.0)

additionally git commits, to close completely:
 https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
not needed in the strong sense, but this will give you the additional automatic tests, to test if this CVE is closed:
 https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=a06cef31cc4c908bc9b76bd9d103fe9c60e0953f
(will be part of KCoreAddons KDE Frameworks 5.28.0)

For kdepimlibs 4.14:
 https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
 https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=8bbe1bd3fdc55f609340edc667ff154b3d2aaab1
kdepimlibs is at end of life, so no further release is planned.

See original description
Tags: patch

CVE References

Simon Quigley (tsimonq2)
Changed in ubuntu:
assignee: nobody → Simon Quigley (tsimonq2)
status: New → In Progress
Simon Quigley (tsimonq2)
Changed in ubuntu:
assignee: Simon Quigley (tsimonq2) → nobody
status: In Progress → Invalid
no longer affects: kcoreaddons (Ubuntu)
affects: ubuntu → kcoreaddons (Ubuntu)
Changed in kcoreaddons (Ubuntu):
assignee: nobody → Simon Quigley (tsimonq2)
status: Invalid → In Progress
Revision history for this message
Simon Quigley (tsimonq2) wrote :

At the moment, we (being Rik, Clive, and myself) believe that this affects Yakkety, Xenial, Trusty, and Precise. I'll work on some patches for each release.

Clive Johnston (clivejo)
Changed in kcoreaddons (Ubuntu):
importance: Critical → High
Revision history for this message
Simon Quigley (tsimonq2) wrote :

This is the fix for precise. I've tested KMail and it works successfully without any regressions.

Revision history for this message
Clive Johnston (clivejo) wrote :

When building source I'm getting following error:

dpkg-source: warning: unexpected end of diff 'kcoreaddons-5.26.0/debian/patches/02-enable-autotest-for-cve-2016-7966.diff'

Too tired to work it out, its a silly mistake, but I can't see what I'm doing wrong!

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Clive, quite probably: quilt pop -a ; quilt push ; quilt refresh ; quilt push ; quilt refresh would fix that warning from dpkg-source.

We have our preferred changelog format documented at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging -- could you adapt the changelog to match when you fix the diffs and rebuild?

Thanks

Revision history for this message
Clive Johnston (clivejo) wrote :

Hey,

the patch attached to fix this can't be applied for KDE Frameworks 5.26:
https://quickgit.kde.org/?
p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12

you need additionally
https://quickgit.kde.org/?
p=kcoreaddons.git&a=commitdiff&h=1be7272373d60e4234f1a5584e676b579302b053

I think we should add this information.

Also I think we should add the information, that the affected version is
inside KDE Frameworks < 5.26 and is/will be fixed with 5.27. To make it easier
to understand that this is outside of kdepim space for KF5.

Additionally we should add to all CVEs, the fixed version(s).

Btw. shouldn't we need to release fixed version for all framework versions? At
previous Akademy (in Spain) it was told, that frameworks will get security
fixes for an year, so we would need to release 12 frameworks?

Regards,

sandro

Revision history for this message
Clive Johnston (clivejo) wrote :

Debian patch - https://anonscm.debian.org/git/pkg-kde/frameworks/kcoreaddons.git/commit/?id=ab7258dd8a87668ba63c585a69f41f291254aa43

information type: Private Security → Public Security
Revision history for this message
Scott Kitterman (kitterman) wrote :

[18:18:58] <ScottK> infinity: Kubuntu would like to get a security fix in before release: https://anonscm.debian.org/git/pkg-kde/frameworks/kcoreaddons.git/commit/?id=ab7258dd8a87668ba63c585a69f41f291254aa43
[18:19:26] <infinity> ScottK: Security fixes welcome.
[18:19:39] <ScottK> K. Thanks.

Clive Johnston (clivejo)
Changed in kcoreaddons (Ubuntu Yakkety):
assignee: Simon Quigley (tsimonq2) → Clive Johnston (clivejo)
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "precise.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Simon Quigley (tsimonq2)
Changed in kcoreaddons (Ubuntu Precise):
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kcoreaddons - 5.26.0-0ubuntu2

---------------
kcoreaddons (5.26.0-0ubuntu2) yakkety; urgency=medium

  * SECURITY UPDATE: KMail - HTML injection in plain text viewer
    (LP: #1630700)
    - debian/patches/0001-Fix-very-old-bug-when-we-remove-space-in-
      url-as-foo-.patch: Code added by upstream to fix another bug,
      but needs to be applied in advance of patch 0002
    - debian/patches/0002-Don-t-convert-as-url-an-url-which-has-a.patch:
      Fixes CVE-2016-7966
    Patches cherrypicked from Debian:
    https://anonscm.debian.org/git/pkg-kde/frameworks/kcoreaddons.git
    Commit: ab7258dd8a87668ba63c585a69f41f291254aa43
    Many thanks to Sandro Knauß for these patches

 -- Clive Johnston <email address hidden> Fri, 07 Oct 2016 23:57:19 +0100

Changed in kcoreaddons (Ubuntu Yakkety):
status: In Progress → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #2. I've uploaded it for building now with some additional changes to debian/changelog.

Thanks!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Could someone please prepare a debdiff for xenial? Thanks!

Revision history for this message
Clive Johnston (clivejo) wrote :

Xenial is proving to be harder to patch due to it being Frameworks 5.18.

https://launchpad.net/ubuntu/+source/kcoreaddons/5.18.0-0ubuntu1

5.18.0 was tagged on Sat, 09 Jan 2016 09:49:38 +0000 (09:49 +0000) so according to this log:

https://quickgit.kde.org/?p=kcoreaddons.git&a=history&h=5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a&f=src%2Flib%2Ftext%2Fktexttohtml.cpp

We have 5 patches to apply, but I'm not experienced enough with coding to determine what is needed to fix the CVE and what is just new features or bug fixes. There is talk in the KDE community that patches might be available for up to a year after release, but still waiting on confirmation.

Clive Johnston (clivejo)
Changed in kcoreaddons (Ubuntu Xenial):
importance: Undecided → High
Changed in kcoreaddons (Ubuntu Trusty):
importance: Undecided → High
Changed in kcoreaddons (Ubuntu Precise):
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-security-sponsors for now since there is nothing to sponsor. Once a debdiff is attached, please re-subscribe the group. Thanks!

Changed in kcoreaddons (Ubuntu Trusty):
status: New → Fix Released
Changed in kcoreaddons (Ubuntu Precise):
status: In Progress → Invalid
Changed in kcoreaddons (Ubuntu Trusty):
status: Fix Released → Invalid
Changed in kcoreaddons (Ubuntu Xenial):
status: New → Confirmed
Simon Quigley (tsimonq2)
Changed in kcoreaddons (Ubuntu Trusty):
status: Invalid → Fix Released
Simon Quigley (tsimonq2)
Changed in kcoreaddons (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
status: Confirmed → In Progress
description: updated
Simon Quigley (tsimonq2)
no longer affects: kdepimlibs (Ubuntu Precise)
Changed in kdepimlibs (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Changed in kdepimlibs (Ubuntu):
status: New → Fix Released
no longer affects: kdepimlibs (Ubuntu Xenial)
no longer affects: kdepimlibs (Ubuntu Yakkety)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

As shown in the bug description edit, this bug is not 100% fixed yet. I'm working on fixes.

Simon Quigley (tsimonq2)
summary: - CVE - KMail - HTML injection in plain text viewer
+ [CVE] KMail - HTML injection in plain text viewer
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for kdepimlibs in Trusty applicable to 4.13.3-0ubuntu0.3. I tested this on a fresh Kubuntu 14.04 LTS install and it works fine.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Here's a debdiff for kcoreaddons in Xenial applicable to 5.18.0-0ubuntu1. I tested it and it works fine.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Here is a follow-up patch for kdepimlibs in Trusty applicable to 4.13.3-0ubuntu0.3 that addresses some general feedback I have received on other bug reports. This shouldn't need any new testing because this is technically the same as the last debdiff.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in comments #16 and #17. They are building now and will be released as security updates. Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kcoreaddons - 5.18.0-0ubuntu1.1

---------------
kcoreaddons (5.18.0-0ubuntu1.1) xenial-security; urgency=high

  * SECURITY UPDATE: KMail - HTML injection in plain text viewer
    (LP: #1630700)
    - CVE-2016-7966
    - CVE-2016-7966_1.patch - 1be727 from upstream
    - CVE-2016-7966_2.patch - 96e562 from upstream
    - CVE-2016-7966_3.patch - a06cef from upstream
    - CVE-2016-7966_4.patch - 5e13d2 from upstream

 -- Simon Quigley <email address hidden> Fri, 11 Aug 2017 23:36:27 -0500

Changed in kcoreaddons (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdepimlibs - 4:4.13.3-0ubuntu0.4

---------------
kdepimlibs (4:4.13.3-0ubuntu0.4) trusty-security; urgency=high

  * SECURITY UPDATE: KMail: HTML injection in plain text viewer (LP: #1630700)
    - CVE-2016-7966
    - The security vulnerability was not completely fixed in the last update.
      This upload applies one additional commit from upstream to completely
      fix it.
    - Split CVE-2016-7966.diff into CVE-2016-7966_1.patch and
      CVE-2016-7966_2.patch and add DEP-3 meta-information to make it clear
      that to fix the CVE, two patches are needed.

 -- Simon Quigley <email address hidden> Thu, 10 Aug 2017 17:52:29 -0500

Changed in kdepimlibs (Ubuntu Trusty):
status: In Progress → Fix Released
Simon Quigley (tsimonq2)
Changed in kcoreaddons (Ubuntu Precise):
assignee: Simon Quigley (tsimonq2) → nobody
Changed in kcoreaddons (Ubuntu Xenial):
assignee: Simon Quigley (tsimonq2) → nobody
Changed in kdepimlibs (Ubuntu Trusty):
assignee: Simon Quigley (tsimonq2) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.