KDE Project Security Advisory: KMail: HTML injection in plain text viewer
jr at jriddell.org
Thu Oct 6 22:44:58 UTC 2016
These patches don't apply to the released versions, I've taken a diff
from the branches
On 6 October 2016 at 18:44, Albert Astals Cid <aacid at kde.org> wrote:
> KDE Project Security Advisory
> Title: KMail: HTML injection in plain text viewer
> Risk Rating: Important
> CVE: CVE-2016-7966
> Platforms: All
> Versions: kmail >= 4.4.0
> Author: Andre Heinecke <aheinecke at intevation.de>
> Date: 6 October 2016
> Through a malicious URL that contained a quote character it
> was possible to inject HTML code in KMail's plain text viewer.
> Due to the parser used on the URL it was not possible to include
> the equal sign (=) or a space into the injected HTML, which greatly
> reduces the available HTML functionality. Although it is possible
> to include an HTML comment indicator to hide content.
> An unauthenticated attacker can send out mails with malicious content
> that breaks KMail's plain text HTML escape logic. Due to the limitations
> of the provided HTML in itself it might not be serious. But as a way
> to break out of KMail's restricted Plain text mode this might open
> the way to the exploitation of other vulnerabilities in the HTML viewer
> code, which is disabled by default.
> For KDE Frameworks based releases of KMail apply the following patch to
> For kdelibs4 based releases apply the following patch:
> Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
> Intevation GmbH for analysing the problems and Laurent Montel for
> fixing this issue.
More information about the release-team