Package: kde-runtime Version: 4:17.08.3-2 Severity: important Tags: security
Dear Maintainer, "KDE Project Security Advisory: kio-extras: HTML Thumbnailer automatic remote file access" (Message-ID: <5460566.RsyoOK3lV2@xps>, for some reason the mailing list archives are for subscribers only) mentions that 'htmlthumbnail.so' accesses content from remote files in HTML files to thumbnail. It has been assigned CVE number CVE-2018-19120. KDE developers removed the HTML thumbnailer for KDE Applications 18.12. KDE advisory mentions kio-extras. I am not sure whether 'htmlthumbnail.so' from KDE SC 4 in 'kde-runtime' is also affected. If so, work-around is to remove /usr/lib/kde4/htmlthumbnail.so The announcement should be accessible to the public on https://www.kde.org/announcements/ soon. Thanks, Martin -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-tp520 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages kde-runtime depends on: ii drkonqi 5.13.4-1 ii kde-runtime-data 4:17.08.3-2 ii kdelibs5-plugins 4:4.14.38-2 ii libasound2 1.1.7-1 ii libattica0.4 0.4.2-2 ii libc6 2.27-8 ii libcanberra0 0.30-6 ii libexiv2-14 0.25-4 ii libgcc1 1:8.2.0-9 ii libgcrypt20 1.8.4-3 ii libgpgme++2v5 4:4.14.10-10 ii libgpgme11 1.12.0-4 ii libjpeg62-turbo 1:1.5.2-2+b1 ii libkactivities6 4:4.13.3-2 ii libkcmutils4 4:4.14.38-2 ii libkdeclarative5 4:4.14.38-2 ii libkdecore5 4:4.14.38-2 ii libkdesu5 4:4.14.38-2 ii libkdeui5 4:4.14.38-2 ii libkdewebkit5 4:4.14.38-2 ii libkdnssd4 4:4.14.38-2 ii libkemoticons4 4:4.14.38-2 ii libkfile4 4:4.14.38-2 ii libkhtml5 4:4.14.38-2 ii libkio5 4:4.14.38-2 ii libkmediaplayer4 4:4.14.38-2 ii libknewstuff3-4 4:4.14.38-2 ii libknotifyconfig4 4:4.14.38-2 ii libkparts4 4:4.14.38-2 ii libkpty4 4:4.14.38-2 ii libntrack-qt4-1 016-1.3 ii libopenexr23 2.2.1-4 ii libphonon4 4:4.10.1-1 ii libplasma3 4:4.14.38-2 ii libpulse-mainloop-glib0 12.2-2 ii libpulse0 12.2-2 ii libqt4-dbus 4:4.8.7+dfsg-17 ii libqt4-declarative 4:4.8.7+dfsg-17 ii libqt4-network 4:4.8.7+dfsg-17 ii libqt4-script 4:4.8.7+dfsg-17 ii libqt4-svg 4:4.8.7+dfsg-17 ii libqt4-xml 4:4.8.7+dfsg-17 ii libqtcore4 4:4.8.7+dfsg-17 ii libqtgui4 4:4.8.7+dfsg-17 ii libqtwebkit4 2.3.4.dfsg-10 ii libsmbclient 2:4.9.1+dfsg-2 ii libsolid4 4:4.14.38-2 ii libssh-gcrypt-4 0.8.4-3 ii libstdc++6 8.2.0-9 ii libwebp6 0.6.1-2 ii libx11-6 2:1.6.7-1 ii libxcursor1 1:1.1.15-1 ii oxygen-icon-theme 5:5.51.0-1 ii phonon 4:4.10.1-1 ii plasma-scriptengine-javascript 4:17.08.3-2 Versions of packages kde-runtime recommends: ii icoutils 0.32.3-2 pn libcanberra-pulse | libcanberra-gstreamer <none> ii sound-theme-freedesktop 0.8-2 ii udisks2 2.8.1-2 ii upower 0.99.9-1 Versions of packages kde-runtime suggests: pn djvulibre-bin <none> ii finger 0.17-15.1 -- no debconf information -- debsums errors found: debsums: missing file /usr/lib/kde4/htmlthumbnail.so (from kde-runtime package)