** Description changed: KDE Project Security Advisory ============================= Title: KMail: JavaScript access to local and remote URLs Risk Rating: Critical CVE: CVE-2016-7967 Platforms: All Versions: kmail 5.3.0 Author: Andre Heinecke <aheine...@intevation.de> Date: 6 October 2016 Overview ======== KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed - in the local file security context by default access to remote and local URLs - was enabled. + in the local file security context by default access to remote and local + URLs was enabled. Impact ====== An unauthenticated attacker can send out mails with malicious content with executable JavaScript code that read or write local files and send them - to - remote URLs or change the contents of local files in malicous ways. The + to remote URLs or change the contents of local files in malicious ways. The code is executed when when viewing HTML the mails. - Combined with CVE #TODO this could . + Combined with CVE-2016-7966 the code could also be executed when viewing + plain text mails. Workaround ========== - Assuming a version with CVE #TODO fixed a user is protected + Assuming a version with CVE-2016-7966 fixed a user is protected from this by only viewing plain text mails. Solution ======== For KMail apply the following patch: - https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 + https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 Credits ======= Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing and the problems and reviewing the fix and Laurent Montel for fixing the issues.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7968 ** Description changed: KDE Project Security Advisory ============================= Title: KMail: JavaScript access to local and remote URLs Risk Rating: Critical CVE: CVE-2016-7967 Platforms: All Versions: kmail 5.3.0 Author: Andre Heinecke <aheine...@intevation.de> Date: 6 October 2016 Overview ======== KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. Impact ====== An unauthenticated attacker can send out mails with malicious content with executable JavaScript code that read or write local files and send them to remote URLs or change the contents of local files in malicious ways. The code is executed when when viewing HTML the mails. Combined with CVE-2016-7966 the code could also be executed when viewing plain text mails. Workaround ========== Assuming a version with CVE-2016-7966 fixed a user is protected from this by only viewing plain text mails. Solution ======== For KMail apply the following patch: https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 Credits ======= Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing and the problems and reviewing the fix and Laurent Montel for fixing the issues. + + ==== This bug also aims to fix: ==== + + KDE Project Security Advisory + ============================= + + Title: KMail: JavaScript execution in HTML Mails + Risk Rating: Normal + CVE: CVE-2016-7968 + Platforms: All + Versions: kmail 5.3.0 + Author: Andre Heinecke <aheine...@intevation.de> + Date: 6 October 2016 + + Overview + ======== + + KMail since version 5.3.0 used a QWebEngine based viewer + that had JavaScript enabled. HTML Mail contents were not sanitized for + JavaScript and included code was executed. + + Impact + ====== + + An unauthenticated attacker can send out mails with Javascript to manipulate + the display of messages. The JavaScript executed might be used as an entry + point for further exploits. + + Workaround + ========== + + Assuming a version with CVE-2016-7966 fixed a user is protected + from this by only viewing plain text mails. + + Solution + ======== + + The full solution disables JavaScript in the Mailviewer of KMail. This + requires API introduced in Qt 5.7.0 so KMail needs to be built with + Qt 5.7.0 and the following patch: + https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=f601f9ffb706f7d3a5893b04f067a1f75da62c99 + + For versions previous to 5.7.0 the following patches partly sanitize mails + but still make it possible to inject code: + https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=3503b75e9c79c3861e182588a0737baf165abd23 + https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=a8744798dfdf8e41dd6a378e48662c66302b0019 + https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=77976584a4ed2797437a2423704abdd7ece7834a + https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=fb1be09360c812d24355076da544030a67b736fc + https://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=0402c17a8ead92188971cb604d905b3072d56a73 + + Credits + ======= + + Thanks to Roland Tapken for reporting this issue, Andre Heinecke from + Intevation GmbH for analysing and the problems and reviewing the fix + and Laurent Montel for fixing the issues. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1630699 Title: CVE - KMail - JavaScript access to local and remote URLs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kf5-messagelib/+bug/1630699/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
