These patches don't apply to the released versions, I've taken a diff from the branches
https://packaging.neon.kde.org/applications/messagelib.git/tree/debian/patches/kde_01_CVE-2016-7968-CVE-2016-7966.diff?h=Neon/release https://packaging.neon.kde.org/frameworks/kcoreaddons.git/tree/debian/patches/kde_01_CVE-2016-7966.diff?h=Neon/release Jonathan On 6 October 2016 at 18:44, Albert Astals Cid <[email protected]> wrote: > KDE Project Security Advisory > ============================= > > Title: KMail: HTML injection in plain text viewer > Risk Rating: Important > CVE: CVE-2016-7966 > Platforms: All > Versions: kmail >= 4.4.0 > Author: Andre Heinecke <[email protected]> > Date: 6 October 2016 > > Overview > ======== > > Through a malicious URL that contained a quote character it > was possible to inject HTML code in KMail's plain text viewer. > Due to the parser used on the URL it was not possible to include > the equal sign (=) or a space into the injected HTML, which greatly > reduces the available HTML functionality. Although it is possible > to include an HTML comment indicator to hide content. > > Impact > ====== > > An unauthenticated attacker can send out mails with malicious content > that breaks KMail's plain text HTML escape logic. Due to the limitations > of the provided HTML in itself it might not be serious. But as a way > to break out of KMail's restricted Plain text mode this might open > the way to the exploitation of other vulnerabilities in the HTML viewer > code, which is disabled by default. > > Workaround > ========== > > None. > > Solution > ======== > > For KDE Frameworks based releases of KMail apply the following patch to > kcoreaddons: > https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12 > > For kdelibs4 based releases apply the following patch: > https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf > > Credits > ======= > > Thanks to Roland Tapken for reporting this issue, Andre Heinecke from > Intevation GmbH for analysing the problems and Laurent Montel for > fixing this issue. >
