Bug#913596: CVE-2018-19120: kio-extras: HTML Thumbnailer automatic remote file access

Mon, 12 Nov 2018 11:54:46 -0800 

Package: kde-runtime
Version: 4:17.08.3-2
Severity: important
Tags: security

Dear Maintainer,

"KDE Project Security Advisory: kio-extras: HTML Thumbnailer automatic
remote file access" (Message-ID: <5460566.RsyoOK3lV2@xps>, for some reason
the mailing list archives are for subscribers only) mentions that
'htmlthumbnail.so' accesses content from remote files in HTML files to
thumbnail. It has been assigned CVE number CVE-2018-19120.

KDE developers removed the HTML thumbnailer for KDE Applications 18.12.

KDE advisory mentions kio-extras. I am not sure whether 'htmlthumbnail.so'
from KDE SC 4 in 'kde-runtime' is also affected.

If so, work-around is to remove

/usr/lib/kde4/htmlthumbnail.so

The announcement should be accessible to the public on

https://www.kde.org/announcements/

soon.

Thanks,
Martin

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-tp520 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages kde-runtime depends on:
ii  drkonqi                         5.13.4-1
ii  kde-runtime-data                4:17.08.3-2
ii  kdelibs5-plugins                4:4.14.38-2
ii  libasound2                      1.1.7-1
ii  libattica0.4                    0.4.2-2
ii  libc6                           2.27-8
ii  libcanberra0                    0.30-6
ii  libexiv2-14                     0.25-4
ii  libgcc1                         1:8.2.0-9
ii  libgcrypt20                     1.8.4-3
ii  libgpgme++2v5                   4:4.14.10-10
ii  libgpgme11                      1.12.0-4
ii  libjpeg62-turbo                 1:1.5.2-2+b1
ii  libkactivities6                 4:4.13.3-2
ii  libkcmutils4                    4:4.14.38-2
ii  libkdeclarative5                4:4.14.38-2
ii  libkdecore5                     4:4.14.38-2
ii  libkdesu5                       4:4.14.38-2
ii  libkdeui5                       4:4.14.38-2
ii  libkdewebkit5                   4:4.14.38-2
ii  libkdnssd4                      4:4.14.38-2
ii  libkemoticons4                  4:4.14.38-2
ii  libkfile4                       4:4.14.38-2
ii  libkhtml5                       4:4.14.38-2
ii  libkio5                         4:4.14.38-2
ii  libkmediaplayer4                4:4.14.38-2
ii  libknewstuff3-4                 4:4.14.38-2
ii  libknotifyconfig4               4:4.14.38-2
ii  libkparts4                      4:4.14.38-2
ii  libkpty4                        4:4.14.38-2
ii  libntrack-qt4-1                 016-1.3
ii  libopenexr23                    2.2.1-4
ii  libphonon4                      4:4.10.1-1
ii  libplasma3                      4:4.14.38-2
ii  libpulse-mainloop-glib0         12.2-2
ii  libpulse0                       12.2-2
ii  libqt4-dbus                     4:4.8.7+dfsg-17
ii  libqt4-declarative              4:4.8.7+dfsg-17
ii  libqt4-network                  4:4.8.7+dfsg-17
ii  libqt4-script                   4:4.8.7+dfsg-17
ii  libqt4-svg                      4:4.8.7+dfsg-17
ii  libqt4-xml                      4:4.8.7+dfsg-17
ii  libqtcore4                      4:4.8.7+dfsg-17
ii  libqtgui4                       4:4.8.7+dfsg-17
ii  libqtwebkit4                    2.3.4.dfsg-10
ii  libsmbclient                    2:4.9.1+dfsg-2
ii  libsolid4                       4:4.14.38-2
ii  libssh-gcrypt-4                 0.8.4-3
ii  libstdc++6                      8.2.0-9
ii  libwebp6                        0.6.1-2
ii  libx11-6                        2:1.6.7-1
ii  libxcursor1                     1:1.1.15-1
ii  oxygen-icon-theme               5:5.51.0-1
ii  phonon                          4:4.10.1-1
ii  plasma-scriptengine-javascript  4:17.08.3-2

Versions of packages kde-runtime recommends:
ii  icoutils                                   0.32.3-2
pn  libcanberra-pulse | libcanberra-gstreamer  <none>
ii  sound-theme-freedesktop                    0.8-2
ii  udisks2                                    2.8.1-2
ii  upower                                     0.99.9-1

Versions of packages kde-runtime suggests:
pn  djvulibre-bin  <none>
ii  finger         0.17-15.1

-- no debconf information

-- debsums errors found:
debsums: missing file /usr/lib/kde4/htmlthumbnail.so (from kde-runtime package)

Reply via email to