| 2016-10-05 17:57:07 |
Clive Johnston |
bug |
|
|
added bug |
| 2016-10-05 17:57:38 |
Clive Johnston |
bug |
|
|
added subscriber Rik Mills |
| 2016-10-05 17:57:49 |
Clive Johnston |
bug |
|
|
added subscriber Simon Quigley |
| 2016-10-05 19:03:39 |
Clive Johnston |
bug |
|
|
added subscriber Jose Manuel Santamaria Lema |
| 2016-10-05 22:20:28 |
Simon Quigley |
ubuntu: assignee |
|
Simon Quigley (tsimonq2) |
|
| 2016-10-05 22:20:30 |
Simon Quigley |
ubuntu: status |
New |
In Progress |
|
| 2016-10-05 22:25:43 |
Simon Quigley |
bug task added |
|
kcoreaddons (Ubuntu) |
|
| 2016-10-05 22:26:51 |
Simon Quigley |
ubuntu: status |
In Progress |
Invalid |
|
| 2016-10-05 22:26:51 |
Simon Quigley |
ubuntu: assignee |
Simon Quigley (tsimonq2) |
|
|
| 2016-10-05 22:27:22 |
Simon Quigley |
bug task deleted |
kcoreaddons (Ubuntu) |
|
|
| 2016-10-05 22:27:36 |
Simon Quigley |
affects |
ubuntu |
kcoreaddons (Ubuntu) |
|
| 2016-10-05 22:27:36 |
Simon Quigley |
kcoreaddons (Ubuntu): status |
Invalid |
In Progress |
|
| 2016-10-05 22:27:36 |
Simon Quigley |
kcoreaddons (Ubuntu): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2016-10-05 23:41:11 |
Clive Johnston |
kcoreaddons (Ubuntu): importance |
Critical |
High |
|
| 2016-10-06 00:03:57 |
Clive Johnston |
bug |
|
|
added subscriber Philip Muškovac |
| 2016-10-06 02:48:04 |
Simon Quigley |
attachment added |
|
precise.debdiff https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+attachment/4755580/+files/precise.debdiff |
|
| 2016-10-06 18:02:46 |
Clive Johnston |
cve linked |
|
2016-7966 |
|
| 2016-10-06 22:57:59 |
Clive Johnston |
attachment added |
|
kcoreaddons-5.26.0.debdiff https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+attachment/4756351/+files/kcoreaddons-5.26.0.debdiff |
|
| 2016-10-07 12:40:55 |
Clive Johnston |
bug |
|
|
added subscriber Scott Kitterman |
| 2016-10-07 21:57:17 |
Clive Johnston |
information type |
Private Security |
Public Security |
|
| 2016-10-07 23:58:01 |
Clive Johnston |
nominated for series |
|
Ubuntu Precise |
|
| 2016-10-07 23:58:01 |
Clive Johnston |
nominated for series |
|
Ubuntu Yakkety |
|
| 2016-10-07 23:58:01 |
Clive Johnston |
bug task added |
|
kcoreaddons (Ubuntu Yakkety) |
|
| 2016-10-07 23:58:01 |
Clive Johnston |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-10-07 23:58:01 |
Clive Johnston |
bug task added |
|
kcoreaddons (Ubuntu Xenial) |
|
| 2016-10-07 23:58:01 |
Clive Johnston |
nominated for series |
|
Ubuntu Trusty |
|
| 2016-10-07 23:58:26 |
Clive Johnston |
kcoreaddons (Ubuntu Yakkety): assignee |
Simon Quigley (tsimonq2) |
Clive Johnston (clivejo) |
|
| 2016-10-08 00:00:00 |
Scott Kitterman |
bug task added |
|
kcoreaddons (Ubuntu Precise) |
|
| 2016-10-08 00:00:20 |
Scott Kitterman |
bug task added |
|
kcoreaddons (Ubuntu Trusty) |
|
| 2016-10-08 00:38:26 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2016-10-08 00:38:42 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2016-10-08 15:49:57 |
Simon Quigley |
kcoreaddons (Ubuntu Precise): status |
New |
In Progress |
|
| 2016-10-08 15:50:01 |
Simon Quigley |
kcoreaddons (Ubuntu Precise): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2016-10-09 10:24:24 |
Launchpad Janitor |
kcoreaddons (Ubuntu Yakkety): status |
In Progress |
Fix Released |
|
| 2016-10-11 18:01:46 |
Clive Johnston |
kcoreaddons (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2016-10-11 18:01:51 |
Clive Johnston |
kcoreaddons (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2016-10-11 18:01:55 |
Clive Johnston |
kcoreaddons (Ubuntu Precise): importance |
Undecided |
High |
|
| 2016-10-12 11:46:07 |
Marc Deslauriers |
kcoreaddons (Ubuntu Trusty): status |
New |
Fix Released |
|
| 2016-10-12 11:46:16 |
Marc Deslauriers |
kcoreaddons (Ubuntu Precise): status |
In Progress |
Invalid |
|
| 2016-10-12 11:46:21 |
Marc Deslauriers |
kcoreaddons (Ubuntu Trusty): status |
Fix Released |
Invalid |
|
| 2016-10-12 11:46:36 |
Marc Deslauriers |
kcoreaddons (Ubuntu Xenial): status |
New |
Confirmed |
|
| 2016-10-12 11:47:39 |
Marc Deslauriers |
removed subscriber Ubuntu Security Sponsors Team |
|
|
|
| 2017-07-25 04:24:35 |
Simon Quigley |
kcoreaddons (Ubuntu Trusty): status |
Invalid |
Fix Released |
|
| 2017-08-10 22:28:12 |
Simon Quigley |
kcoreaddons (Ubuntu Xenial): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2017-08-10 22:28:15 |
Simon Quigley |
kcoreaddons (Ubuntu Xenial): status |
Confirmed |
In Progress |
|
| 2017-08-10 22:29:27 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: KMail: HTML injection
Risk Rating: Important
CVE: #TODO
Platforms: All
Versions: kmail >= 4.4.0
Author: #TODO
Date: #TODO
Overview
========
Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.
Impact
======
An unauthenticated attacker can send out mails with malicious content
that breaks KMail's plain text HTML escape logic. Due to the limitations
of the provided HTML in itself it might not be serious. But as a way
to break out of KMail's restricted Plain text mode this might open
the way to the exploitation of other vulnerabilities in the HTML viewer
code, which is disabled by default.
Workaround
==========
None.
Solution
========
For KDE Frameworks based releases of KMail apply the following patch to
kcoreaddons:
https://quickgit.kde.org/?
p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12
For KDE 4 apply the following patch:
https://quickgit.kde.org/?
p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing the problems and Laurent Montel for
fixing this issue. |
KDE Project Security Advisory
=============================
Title: KMail: HTML injection in plain text viewer
Risk Rating: Important
CVE: CVE-2016-7966
Platforms: All
Versions: kmail >= 4.4.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.
Impact
======
An unauthenticated attacker can send out mails with malicious content
that breaks KMail's plain text HTML escape logic. Due to the limitations
of the provided HTML in itself it might not be serious. But as a way
to break out of KMail's restricted Plain text mode this might open
the way to the exploitation of other vulnerabilities in the HTML viewer
code, which is disabled by default.
Workaround
==========
None.
Solution
========
For KDE Frameworks based releases of KMail apply the following patch to
kcoreaddons:
https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12
For kdelibs4 based releases apply the following patch:
https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing the problems and Laurent Montel for
fixing this issue.
Updated Information (1 November 2016)
=====================================
The above mentioned patches are not enough to fix the vulnerability completely.
This wasn't visible, because the patches for CVE-2016-7967 and CVE-2016-7968 made sure,
that this vulnerability can't harm anymore.
It only became visible, that this vulnerability isn't closed completely for systems,
that are only affected by this CVE.
For KCoreAddons you need:
https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12
for applying this patch you may also need to cherry-pick:
https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=1be7272373d60e4234f1a5584e676b579302b053
(these two are released in KCoreAddons KDE Frameworks 5.27.0)
additionally git commits, to close completely:
https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
not needed in the strong sense, but this will give you the additional automatic tests, to test if this CVE is closed:
https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=a06cef31cc4c908bc9b76bd9d103fe9c60e0953f
(will be part of KCoreAddons KDE Frameworks 5.28.0)
For kdepimlibs 4.14:
https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=8bbe1bd3fdc55f609340edc667ff154b3d2aaab1
kdepimlibs is at end of life, so no further release is planned. |
|
| 2017-08-10 22:39:20 |
Simon Quigley |
bug task added |
|
kdepimlibs (Ubuntu) |
|
| 2017-08-10 22:39:49 |
Simon Quigley |
bug task deleted |
kdepimlibs (Ubuntu Precise) |
|
|
| 2017-08-10 22:40:23 |
Simon Quigley |
kdepimlibs (Ubuntu Trusty): status |
New |
In Progress |
|
| 2017-08-10 22:40:25 |
Simon Quigley |
kdepimlibs (Ubuntu Trusty): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2017-08-10 22:40:27 |
Simon Quigley |
kdepimlibs (Ubuntu): status |
New |
Fix Released |
|
| 2017-08-10 22:41:09 |
Simon Quigley |
bug task deleted |
kdepimlibs (Ubuntu Xenial) |
|
|
| 2017-08-10 22:41:12 |
Simon Quigley |
bug task deleted |
kdepimlibs (Ubuntu Yakkety) |
|
|
| 2017-08-11 02:43:24 |
Simon Quigley |
summary |
CVE - KMail - HTML injection in plain text viewer |
[CVE] KMail - HTML injection in plain text viewer |
|
| 2017-08-11 02:58:00 |
Simon Quigley |
attachment added |
|
1-4.13.3-0ubuntu0.4.debdiff https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1630700/+attachment/4930441/+files/1-4.13.3-0ubuntu0.4.debdiff |
|
| 2017-08-12 04:59:04 |
Simon Quigley |
attachment added |
|
1-5.18.0-0ubuntu1.1.debdiff https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1630700/+attachment/4931056/+files/1-5.18.0-0ubuntu1.1.debdiff |
|
| 2017-08-12 04:59:16 |
Simon Quigley |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2017-08-12 05:27:39 |
Simon Quigley |
attachment added |
|
2-4.13.3-0ubuntu0.4.debdiff https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1630700/+attachment/4931060/+files/2-4.13.3-0ubuntu0.4.debdiff |
|
| 2017-08-21 16:58:03 |
Launchpad Janitor |
kcoreaddons (Ubuntu Xenial): status |
In Progress |
Fix Released |
|
| 2017-08-21 16:58:05 |
Launchpad Janitor |
kdepimlibs (Ubuntu Trusty): status |
In Progress |
Fix Released |
|
| 2017-09-17 02:00:07 |
Simon Quigley |
kcoreaddons (Ubuntu Precise): assignee |
Simon Quigley (tsimonq2) |
|
|
| 2017-09-17 02:00:11 |
Simon Quigley |
kcoreaddons (Ubuntu Xenial): assignee |
Simon Quigley (tsimonq2) |
|
|
| 2017-09-17 02:00:15 |
Simon Quigley |
kdepimlibs (Ubuntu Trusty): assignee |
Simon Quigley (tsimonq2) |
|
|
