Ubuntu
kf5-messagelib package

[CVE] KMail - JavaScript access to local and remote URLs

  1. Zesty (17.04)
  2. Bug #1630699
Bug #1630699 reported by Clive Johnston
272
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kf5-messagelib (Ubuntu)
Fix Released
Critical
Unassigned
Zesty
Invalid
Undecided
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <email address hidden>
Date: 6 October 2016

Overview
========

KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local
URLs was enabled.

Impact
======

An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to remote URLs or change the contents of local files in malicious ways. The
code is executed when when viewing HTML the mails.
Combined with CVE-2016-7966 the code could also be executed when viewing
plain text mails.

Workaround
==========

Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.

Solution
========

For KMail apply the following patch:
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1

Credits
=======

Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.

==== This bug also aims to fix: ====

KDE Project Security Advisory
=============================

Title: KMail: JavaScript execution in HTML Mails
Risk Rating: Normal
CVE: CVE-2016-7968
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <email address hidden>
Date: 6 October 2016

Overview
========

KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.

Impact
======

An unauthenticated attacker can send out mails with Javascript to manipulate
the display of messages. The JavaScript executed might be used as an entry
point for further exploits.

Workaround
==========

Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.

Solution
========

The full solution disables JavaScript in the Mailviewer of KMail. This
requires API introduced in Qt 5.7.0 so KMail needs to be built with
Qt 5.7.0 and the following patch:
https://cgit.kde.org/messagelib.git/commit/?id=f601f9ffb706f7d3a5893b04f067a1f75da62c99

For versions previous to 5.7.0 the following patches partly sanitize mails
but still make it possible to inject code:
https://cgit.kde.org/messagelib.git/commit/?id=3503b75e9c79c3861e182588a0737baf165abd23
https://cgit.kde.org/messagelib.git/commit/?id=a8744798dfdf8e41dd6a378e48662c66302b0019
https://cgit.kde.org/messagelib.git/commit/?id=77976584a4ed2797437a2423704abdd7ece7834a
https://cgit.kde.org/messagelib.git/commit/?id=fb1be09360c812d24355076da544030a67b736fc
https://cgit.kde.org/messagelib.git/commit/?id=0402c17a8ead92188971cb604d905b3072d56a73

Credits
=======

Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.

See original description

CVE References

Revision history for this message
Simon Quigley (tsimonq2) wrote :

We looked through the logs, and this doesn't affect us at the moment, but it *will* affect us if we upload 16.08.1.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

We looked through these upstream Git logs: https://quickgit.kde.org/?p=kdepim.git

("we" being myself, Clive, and Rik, all subscribed to the bug report)

Clive Johnston (clivejo)
Changed in ubuntu:
status: New → Triaged
assignee: nobody → Simon Quigley (tsimonq2)
Clive Johnston (clivejo)
information type: Private Security → Public Security
Simon Quigley (tsimonq2)
description: updated
description: updated
description: updated
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Fixed with 4:16.12.3-0ubuntu1, not applicable to the one in Zesty.

Changed in ubuntu:
status: Triaged → Fix Released
Revision history for this message
Simon Quigley (tsimonq2) wrote :

 status inprogress

affects: ubuntu → kf5-messagelib (Ubuntu)
Seth Arnold (seth-arnold)
Changed in kf5-messagelib (Ubuntu Zesty):
assignee: nobody → Simon Quigley (tsimonq2)
status: New → In Progress
Simon Quigley (tsimonq2)
description: updated
description: updated
Simon Quigley (tsimonq2)
summary: - CVE - KMail - JavaScript access to local and remote URLs
+ [CVE] KMail - JavaScript access to local and remote URLs
Simon Quigley (tsimonq2)
description: updated
Revision history for this message
Simon Quigley (tsimonq2) wrote :

not-affected for the kf5-messagelib in Zesty because it doesn't use QtWebEngine. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853241 for reference.

Changed in kf5-messagelib (Ubuntu Zesty):
status: In Progress → Invalid
Simon Quigley (tsimonq2)
Changed in kf5-messagelib (Ubuntu Zesty):
assignee: Simon Quigley (tsimonq2) → nobody
Changed in kf5-messagelib (Ubuntu):
assignee: Simon Quigley (tsimonq2) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.