KDE Project Security Advisory
Title: Plasma: Notifications can expose user IP address
Risk Rating: Low
Versions: Plasma < 5.12.0
Date: 8 February 2018
Plasma has support for the Desktop Nofications specification. That
embedding images in notifications. Plasma was not sanitizing the HTML that
forms the notification.
That allowed for notifications to load a remote image leaking the user IP
address. This is in turn
made a bit worse by the fact that some chat software doesn't sanitize the text
they send to the
notification system either meaning that a third party could send a carefully
to a chat room and get the IP addresses of the users in that chat room.
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9
Or apply the following patches:
Thanks to David Edmundson for the fix.