2016-10-05 17:49:06 |
Clive Johnston |
bug |
|
|
added bug |
2016-10-05 17:49:20 |
Clive Johnston |
bug |
|
|
added subscriber Rik Mills |
2016-10-05 17:49:33 |
Clive Johnston |
bug |
|
|
added subscriber Simon Quigley |
2016-10-05 19:03:28 |
Clive Johnston |
bug |
|
|
added subscriber Jose Manuel Santamaria Lema |
2016-10-05 23:19:43 |
Clive Johnston |
ubuntu: status |
New |
Triaged |
|
2016-10-05 23:20:08 |
Clive Johnston |
ubuntu: assignee |
|
Simon Quigley (tsimonq2) |
|
2016-10-06 00:03:47 |
Clive Johnston |
bug |
|
|
added subscriber Philip Muškovac |
2016-10-06 18:03:16 |
Clive Johnston |
cve linked |
|
2016-7967 |
|
2016-10-07 12:41:41 |
Clive Johnston |
bug |
|
|
added subscriber Scott Kitterman |
2016-10-07 21:57:34 |
Clive Johnston |
information type |
Private Security |
Public Security |
|
2017-08-10 20:59:40 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: #TODO
Platforms: All
Versions: kmail 5.3.0
Author: #TODO
Date: # TODO
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local URLs
was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to
remote URLs or change the contents of local files in malicous ways. The
code is executed when when viewing HTML the mails.
Combined with CVE #TODO this could .
Workaround
==========
Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://quickgit.kde.org/?
p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: #TODO
Platforms: All
Versions: kmail 5.3.0
Author: #TODO
Date: # TODO
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local URLs
was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to
remote URLs or change the contents of local files in malicous ways. The
code is executed when when viewing HTML the mails.
Combined with CVE #TODO this could .
Workaround
==========
Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://cgit.kde.org/?
p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
|
2017-08-10 21:00:13 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: #TODO
Platforms: All
Versions: kmail 5.3.0
Author: #TODO
Date: # TODO
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local URLs
was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to
remote URLs or change the contents of local files in malicous ways. The
code is executed when when viewing HTML the mails.
Combined with CVE #TODO this could .
Workaround
==========
Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://cgit.kde.org/?
p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: #TODO
Platforms: All
Versions: kmail 5.3.0
Author: #TODO
Date: # TODO
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local URLs
was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to
remote URLs or change the contents of local files in malicous ways. The
code is executed when when viewing HTML the mails.
Combined with CVE #TODO this could .
Workaround
==========
Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
|
2017-08-10 21:01:26 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: #TODO
Platforms: All
Versions: kmail 5.3.0
Author: #TODO
Date: # TODO
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local URLs
was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to
remote URLs or change the contents of local files in malicous ways. The
code is executed when when viewing HTML the mails.
Combined with CVE #TODO this could .
Workaround
==========
Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local URLs
was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to
remote URLs or change the contents of local files in malicous ways. The
code is executed when when viewing HTML the mails.
Combined with CVE #TODO this could .
Workaround
==========
Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
|
2017-08-11 02:53:27 |
Simon Quigley |
ubuntu: status |
Triaged |
Fix Released |
|
2017-08-16 03:00:29 |
Simon Quigley |
affects |
ubuntu |
kf5-messagelib (Ubuntu) |
|
2017-08-16 03:06:52 |
Seth Arnold |
nominated for series |
|
Ubuntu Zesty |
|
2017-08-16 03:06:52 |
Seth Arnold |
bug task added |
|
kf5-messagelib (Ubuntu Zesty) |
|
2017-08-16 03:07:28 |
Seth Arnold |
kf5-messagelib (Ubuntu Zesty): status |
New |
In Progress |
|
2017-08-16 03:07:28 |
Seth Arnold |
kf5-messagelib (Ubuntu Zesty): assignee |
|
Simon Quigley (tsimonq2) |
|
2017-08-16 07:50:13 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local URLs
was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to
remote URLs or change the contents of local files in malicous ways. The
code is executed when when viewing HTML the mails.
Combined with CVE #TODO this could .
Workaround
==========
Assuming a version with CVE #TODO fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local
URLs was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to remote URLs or change the contents of local files in malicious ways. The
code is executed when when viewing HTML the mails.
Combined with CVE-2016-7966 the code could also be executed when viewing
plain text mails.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
|
2017-08-16 07:52:49 |
Simon Quigley |
cve linked |
|
2016-7968 |
|
2017-08-16 07:54:06 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local
URLs was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to remote URLs or change the contents of local files in malicious ways. The
code is executed when when viewing HTML the mails.
Combined with CVE-2016-7966 the code could also be executed when viewing
plain text mails.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local
URLs was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to remote URLs or change the contents of local files in malicious ways. The
code is executed when when viewing HTML the mails.
Combined with CVE-2016-7966 the code could also be executed when viewing
plain text mails.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.
==== This bug also aims to fix: ====
KDE Project Security Advisory
=============================
Title: KMail: JavaScript execution in HTML Mails
Risk Rating: Normal
CVE: CVE-2016-7968
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.
Impact
======
An unauthenticated attacker can send out mails with Javascript to manipulate
the display of messages. The JavaScript executed might be used as an entry
point for further exploits.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
The full solution disables JavaScript in the Mailviewer of KMail. This
requires API introduced in Qt 5.7.0 so KMail needs to be built with
Qt 5.7.0 and the following patch:
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=f601f9ffb706f7d3a5893b04f067a1f75da62c99
For versions previous to 5.7.0 the following patches partly sanitize mails
but still make it possible to inject code:
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=3503b75e9c79c3861e182588a0737baf165abd23
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=a8744798dfdf8e41dd6a378e48662c66302b0019
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=77976584a4ed2797437a2423704abdd7ece7834a
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=fb1be09360c812d24355076da544030a67b736fc
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=0402c17a8ead92188971cb604d905b3072d56a73
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
|
2017-08-18 02:54:01 |
Simon Quigley |
summary |
CVE - KMail - JavaScript access to local and remote URLs |
[CVE] KMail - JavaScript access to local and remote URLs |
|
2017-08-24 22:47:39 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local
URLs was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to remote URLs or change the contents of local files in malicious ways. The
code is executed when when viewing HTML the mails.
Combined with CVE-2016-7966 the code could also be executed when viewing
plain text mails.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.
==== This bug also aims to fix: ====
KDE Project Security Advisory
=============================
Title: KMail: JavaScript execution in HTML Mails
Risk Rating: Normal
CVE: CVE-2016-7968
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.
Impact
======
An unauthenticated attacker can send out mails with Javascript to manipulate
the display of messages. The JavaScript executed might be used as an entry
point for further exploits.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
The full solution disables JavaScript in the Mailviewer of KMail. This
requires API introduced in Qt 5.7.0 so KMail needs to be built with
Qt 5.7.0 and the following patch:
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=f601f9ffb706f7d3a5893b04f067a1f75da62c99
For versions previous to 5.7.0 the following patches partly sanitize mails
but still make it possible to inject code:
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=3503b75e9c79c3861e182588a0737baf165abd23
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=a8744798dfdf8e41dd6a378e48662c66302b0019
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=77976584a4ed2797437a2423704abdd7ece7834a
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=fb1be09360c812d24355076da544030a67b736fc
https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=0402c17a8ead92188971cb604d905b3072d56a73
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
KDE Project Security Advisory
=============================
Title: KMail: JavaScript access to local and remote URLs
Risk Rating: Critical
CVE: CVE-2016-7967
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. Since the generated html is executed
in the local file security context by default access to remote and local
URLs was enabled.
Impact
======
An unauthenticated attacker can send out mails with malicious content
with executable JavaScript code that read or write local files and send them
to remote URLs or change the contents of local files in malicious ways. The
code is executed when when viewing HTML the mails.
Combined with CVE-2016-7966 the code could also be executed when viewing
plain text mails.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
For KMail apply the following patch:
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues.
==== This bug also aims to fix: ====
KDE Project Security Advisory
=============================
Title: KMail: JavaScript execution in HTML Mails
Risk Rating: Normal
CVE: CVE-2016-7968
Platforms: All
Versions: kmail 5.3.0
Author: Andre Heinecke <aheinecke@intevation.de>
Date: 6 October 2016
Overview
========
KMail since version 5.3.0 used a QWebEngine based viewer
that had JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.
Impact
======
An unauthenticated attacker can send out mails with Javascript to manipulate
the display of messages. The JavaScript executed might be used as an entry
point for further exploits.
Workaround
==========
Assuming a version with CVE-2016-7966 fixed a user is protected
from this by only viewing plain text mails.
Solution
========
The full solution disables JavaScript in the Mailviewer of KMail. This
requires API introduced in Qt 5.7.0 so KMail needs to be built with
Qt 5.7.0 and the following patch:
https://cgit.kde.org/messagelib.git/commit/?id=f601f9ffb706f7d3a5893b04f067a1f75da62c99
For versions previous to 5.7.0 the following patches partly sanitize mails
but still make it possible to inject code:
https://cgit.kde.org/messagelib.git/commit/?id=3503b75e9c79c3861e182588a0737baf165abd23
https://cgit.kde.org/messagelib.git/commit/?id=a8744798dfdf8e41dd6a378e48662c66302b0019
https://cgit.kde.org/messagelib.git/commit/?id=77976584a4ed2797437a2423704abdd7ece7834a
https://cgit.kde.org/messagelib.git/commit/?id=fb1be09360c812d24355076da544030a67b736fc
https://cgit.kde.org/messagelib.git/commit/?id=0402c17a8ead92188971cb604d905b3072d56a73
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing and the problems and reviewing the fix
and Laurent Montel for fixing the issues. |
|
2017-08-25 00:22:34 |
Simon Quigley |
kf5-messagelib (Ubuntu Zesty): status |
In Progress |
Invalid |
|
2017-08-25 00:23:27 |
Simon Quigley |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853241 |
|
2017-09-17 02:01:26 |
Simon Quigley |
kf5-messagelib (Ubuntu Zesty): assignee |
Simon Quigley (tsimonq2) |
|
|
2017-09-17 02:01:28 |
Simon Quigley |
kf5-messagelib (Ubuntu): assignee |
Simon Quigley (tsimonq2) |
|
|