KDE Project Security Advisory: KMail: HTML injection in plain text viewer

Jonathan Riddell jr at jriddell.org
Thu Oct 6 22:44:58 UTC 2016


These patches don't apply to the released versions, I've taken a diff
from the branches

https://packaging.neon.kde.org/applications/messagelib.git/tree/debian/patches/kde_01_CVE-2016-7968-CVE-2016-7966.diff?h=Neon/release
https://packaging.neon.kde.org/frameworks/kcoreaddons.git/tree/debian/patches/kde_01_CVE-2016-7966.diff?h=Neon/release

Jonathan


On 6 October 2016 at 18:44, Albert Astals Cid <aacid at kde.org> wrote:
> KDE Project Security Advisory
> =============================
>
> Title:          KMail: HTML injection in plain text viewer
> Risk Rating:    Important
> CVE:            CVE-2016-7966
> Platforms:      All
> Versions:       kmail >= 4.4.0
> Author:         Andre Heinecke <aheinecke at intevation.de>
> Date:           6 October 2016
>
> Overview
> ========
>
> Through a malicious URL that contained a quote character it
> was possible to inject HTML code in KMail's plain text viewer.
> Due to the parser used on the URL it was not possible to include
> the equal sign (=) or a space into the injected HTML, which greatly
> reduces the available HTML functionality. Although it is possible
> to include an HTML comment indicator to hide content.
>
> Impact
> ======
>
> An unauthenticated attacker can send out mails with malicious content
> that breaks KMail's plain text HTML escape logic. Due to the limitations
> of the provided HTML in itself it might not be serious. But as a way
> to break out of KMail's restricted Plain text mode this might open
> the way to the exploitation of other vulnerabilities in the HTML viewer
> code, which is disabled by default.
>
> Workaround
> ==========
>
> None.
>
> Solution
> ========
>
> For KDE Frameworks based releases of KMail apply the following patch to
> kcoreaddons:
> https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12
>
> For kdelibs4 based releases apply the following patch:
> https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
>
> Credits
> =======
>
> Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
> Intevation GmbH for analysing the problems and Laurent Montel for
> fixing this issue.
>


More information about the release-team mailing list