Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hey, > > > Would this also fix the issue with the second mail I posted (positioning > > > of > > > content elements over the header)? > > > > yes because now the header css is only active in the header. > > Did you test with the example mail I provided? yes. > > > My suggestion would have been to wrap the mail body in an iframe > > > instead. > > > > mmh do you can add headers etc. inside iframe? for me all docus looks > > like, > > that you can only place a url and nothing else. > > You can either load a document from a URL with the src="…" attribute or add > a document inline with the srcdoc="…" attribute. The latter would require > smart escaping of the message body and is in general a somewhat broken idea > in my opinion. > > I'd actually write the message body to be displayed as HTML to a temporary > file and load that with . > > Actually, the iframe's sandbox attribute seams to be the way to go here, as > it prevents the exact things we want to prevent here. > > Your approach is a good additional safety net, though. Well if that works please provide a patch for that and bring it upstream. Regards, sandro
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hi, > > Would this also fix the issue with the second mail I posted (positioning > > of > > content elements over the header)? > > yes because now the header css is only active in the header. Did you test with the example mail I provided? > > > My suggestion would have been to wrap the mail body in an iframe instead. > > mmh do you can add headers etc. inside iframe? for me all docus looks like, > that you can only place a url and nothing else. You can either load a document from a URL with the src="…" attribute or add a document inline with the srcdoc="…" attribute. The latter would require smart escaping of the message body and is in general a somewhat broken idea in my opinion. I'd actually write the message body to be displayed as HTML to a temporary file and load that with . Actually, the iframe's sandbox attribute seams to be the way to go here, as it prevents the exact things we want to prevent here. Your approach is a good additional safety net, though. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Hi, > > 2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks > > the > > UI. This has nothing to do with spoofing - KMail breaks when opening > > random, legitimate mail. I cannot even click any controls in the mail view > > anymore. This affects daily, normal work with KMail and makes it unusable > > for reading legitimate mail. That is the definition of "grave > > functionality > > bug". > > Yes, it breaks but: > > - only on certain mails. Not any mail shows this behaviour. In fact I > haven't even seen it before and I use kmail daily. > > - you can change the way headers are displayed and this bug doesn't shows up > (I have just tried your example with "Fancy headers"), so there is a known > work around. That'd be ok if I chose some header format in the first place. I am using what KMail imposes on me (changing with every version). As a matter of fact, after the upgrade, KMail imposed a new header layout on me *and* failed to display some e-mail messages correctly. Maybe not overriding user settings with every upgrade would be a good starting poitn (I do not know whether this should address the Debian maintainers or upstream). > > So it might be annoying for you, but considering the above it does not meets > the RC criterion at least from the usability side. OK… I still do not agree with that, though. > > On the other hand, please avoid expressions that might sound harsh like > "Please do something!" and "Did you read all of this bug report?". Always do > your best to be kind. After all you already did the only thing we can do: > report the bug upstream. We are volunteers trying to make things happen, we > do not get paid for doing this and definitely we are not your employees. A > little respect goes a long way :) Well, this bug report has been open for almost half a year without any reaction whatsoever, neither by upstream nor by a maintainer. Instead, with another upgrade, it even got worse. I understand that both upstream and maintainers are volunteers, but they agreed on reacting to certain kinds of bug reports within a reasonable time. I know that if I completely ignored a security bug in one of my packages for several months, I'd be beheaded by my sponsors. Doing something in your freetime does not mean users can't get annoyed when the software they use gets worse instead of better. Cheers, Nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Control: severity -1 important On lunes, 25 de julio de 2016 12:17:55 P. M. ART Dominik George wrote: > Control: severity -1 grave Please: do not override a maintainer's severity. > Hi, > > >Even more, a mail header can be "spoofed" using simpler tools, like an > >smtp > >server, thus I'm not really convinced that this bug deserves a "grave" > >severity. > > Did you read all of this bug report? I did. I will not emit a judgment on the security side of this as this is really something I don't manage, but... > 2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks the > UI. This has nothing to do with spoofing - KMail breaks when opening > random, legitimate mail. I cannot even click any controls in the mail view > anymore. This affects daily, normal work with KMail and makes it unusable > for reading legitimate mail. That is the definition of "grave functionality > bug". Yes, it breaks but: - only on certain mails. Not any mail shows this behaviour. In fact I haven't even seen it before and I use kmail daily. - you can change the way headers are displayed and this bug doesn't shows up (I have just tried your example with "Fancy headers"), so there is a known work around. So it might be annoying for you, but considering the above it does not meets the RC criterion at least from the usability side. On the other hand, please avoid expressions that might sound harsh like "Please do something!" and "Did you read all of this bug report?". Always do your best to be kind. After all you already did the only thing we can do: report the bug upstream. We are volunteers trying to make things happen, we do not get paid for doing this and definitely we are not your employees. A little respect goes a long way :) Thank you for your undertanding! -- This end should point toward the ground if you want to go to space. If it starts pointing toward space you are having a bad problem and you will not get to space today. http://xkcd.com/1133/ Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/ signature.asc Description: This is a digitally signed message part.
Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout
Processing control commands: > severity -1 important Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout Severity set to 'important' from 'grave' -- 814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout
Processing control commands: > severity -1 important Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout Ignoring request to change severity of Bug 814762 to the same value. -- 814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hi, > Would this also fix the issue with the second mail I posted (positioning of > content elements over the header)? yes because now the header css is only active in the header. > My suggestion would have been to wrap the mail body in an iframe instead. mmh do you can add headers etc. inside iframe? for me all docus looks like, that you can only place a url and nothing else. Regards, sandro
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hi, > I actually set down today and fixed the issue or at least makes it more > difficult to break the UI. > > http://commits.kde.org/messagelib/3f9d16c7dadd2c98b00c5e7216cd69cfb518cab9 > http://commits.kde.org/kdepim-addons/a97f99b2769d39ffa03a2cd2454f10ef9322248 > 6 > http://commits.kde.org/kdepim-addons/cab925e9d4769762ea0080d49f392022cd8e78 > dd Would this also fix the issue with the second mail I posted (positioning of content elements over the header)? My suggestion would have been to wrap the mail body in an iframe instead. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hey, I actually set down today and fixed the issue or at least makes it more difficult to break the UI. http://commits.kde.org/messagelib/3f9d16c7dadd2c98b00c5e7216cd69cfb518cab9 http://commits.kde.org/kdepim-addons/a97f99b2769d39ffa03a2cd2454f10ef93222486 http://commits.kde.org/kdepim-addons/cab925e9d4769762ea0080d49f392022cd8e78dd Regards, sandro signature.asc Description: This is a digitally signed message part.
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
In order to speed things up, I will look into providing a patch today. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Control: severity -1 grave Hi, >Even more, a mail header can be "spoofed" using simpler tools, like an >smtp >server, thus I'm not really convinced that this bug deserves a "grave" >severity. Did you read all of this bug report? 1. I explained that this method can do more than other ways of spoofing mail headers because mail filters do not see the spoofed headers, 2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks the UI. This has nothing to do with spoofing - KMail breaks when opening random, legitimate mail. I cannot even click any controls in the mail view anymore. This affects daily, normal work with KMail and makes it unusable for reading legitimate mail. That is the definition of "grave functionality bug". I am ok with dropping the security tag, but the grave was for the follow-up. The bug with the legitimate mail does *not* occur in any prior version, so migration would introduce this issue into testing. In conclusion: I can read legitimate mail in kmail in testing; I can't do so in unstable. Thus, the new version should not migrate unless the bug is fixed. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout
Processing control commands: > severity -1 grave Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout Severity set to 'grave' from 'important' -- 814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout
Processing control commands: > severity -1 important Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout Severity set to 'important' from 'grave' -- 814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Control: severity -1 important ¡Hola Dominik! El 2016-07-24 a las 22:11 +0200, Dominik George escribió: Package: kmail Version: 4:16.04.3-1 Followup-For: Bug #814762 It got worse. Today, I stumbled about a legitimate HTML mail that just trashed the whole UI. Find attached the mail that caused the issue and a screenshot. Raising severity to grave. Please do something! Firstly, I am certain this is a security-relevant bug; secondly, it now makes stuff break in daily use. I'm temporarily lowering the severity of this mail to finish the kdepim 16.04 transition. Also, I think that this issue should be easily reproduceable in the older kmail2 versions, thus I see no reason to block the transition by this. Even more, a mail header can be "spoofed" using simpler tools, like an smtp server, thus I'm not really convinced that this bug deserves a "grave" severity. Happy hacking, -- "There are only two things wrong with C++: The initial concept and the implementation." -- Bertrand Meyer Saludos /\/\ /\ >< `/ signature.asc Description: Digital signature
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Package: kmail Version: 4:16.04.3-1 Followup-For: Bug #814762 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It got worse. Today, I stumbled about a legitimate HTML mail that just trashed the whole UI. Find attached the mail that caused the issue and a screenshot. Raising severity to grave. Please do something! Firstly, I am certain this is a security-relevant bug; secondly, it now makes stuff break in daily use. - -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages kmail depends on: ii akonadi-server 4:16.04.3-1 ii kdepim-runtime 4:16.04.2-2 ii kdepimlibs-data 4:16.04.2-2 ii kf5-kdepimlibs-kio-plugins 4:16.04.2-2 ii libc6 2.23-2 ii libgcc1 1:6.1.1-9 ii libkf5akonadiagentbase5 4:16.04.3-1 ii libkf5akonadicalendar5 16.04.2-2 ii libkf5akonadicontact5 4:16.04.2-2 ii libkf5akonadicore-bin 4:16.04.3-1 ii libkf5akonadicore5 4:16.04.3-1 ii libkf5akonadimime5 4:16.04.2-2 ii libkf5akonadisearchdebug5 16.04.2-2 ii libkf5akonadiwidgets5 4:16.04.3-1 ii libkf5alarmcalendar516.04.2-2 ii libkf5archive5 5.24.0-1 ii libkf5bookmarks55.23.0-1 ii libkf5calendarcore5 4:16.04.2-1 ii libkf5calendarsupport5 4:16.04.2-2 ii libkf5calendarutils516.04.2-1 ii libkf5codecs5 5.23.0-1 ii libkf5completion5 5.23.0-1 ii libkf5configcore5 5.23.0-1 ii libkf5configgui55.23.0-1 ii libkf5configwidgets55.23.0-1 ii libkf5contacts5 16.04.2-1 ii libkf5coreaddons5 5.23.0-1 ii libkf5crash55.23.0-1 ii libkf5dbusaddons5 5.23.0-1 ii libkf5followupreminder5 4:16.04.2-2 ii libkf5gpgmepp-pthread5 16.04.3-1 ii libkf5gravatar5 4:16.04.2-2 ii libkf5guiaddons55.23.0-1 ii libkf5i18n5 5.23.0-1 ii libkf5iconthemes5 5.23.0-1 ii libkf5identitymanagement5 16.04.2-1 ii libkf5incidenceeditor-bin 16.04.2-2 ii libkf5incidenceeditor5 16.04.2-2 ii libkf5itemmodels5 5.23.0-1 ii libkf5itemviews55.23.0-1 ii libkf5jobwidgets5 5.23.0-1 ii libkf5kcmutils5 5.23.0-1 ii libkf5kdelibs4support5 5.23.0-1 ii libkf5kiocore5 5.23.0-1 ii libkf5kiofilewidgets5 5.23.0-1 ii libkf5kiowidgets5 5.23.0-1 ii libkf5kmanagesieve5 4:16.04.2-2 ii libkf5kontactinterface5 16.04.2-1 ii libkf5ksieveui5 4:16.04.2-2 ii libkf5libkdepim-plugins 4:16.04.2-3 ii libkf5libkdepim54:16.04.2-3 ii libkf5libkleo5 4:16.04.2-1 ii libkf5mailcommon-plugins4:16.04.2-2 ii libkf5mailcommon5 4:16.04.2-2 ii libkf5mailimporter5 4:16.04.2-2 ii libkf5mailtransport516.04.2-2 ii libkf5messagecomposer5 4:16.04.3-1 ii libkf5messagecore5 4:16.04.3-1 ii libkf5messagelist5 4:16.04.3-1 ii libkf5messageviewer54:16.04.3-1 ii libkf5mime5 16.04.2-1 ii libkf5notifications55.23.0-1 ii libkf5notifyconfig5 5.23.0-1 ii libkf5parts55.23.0-1 ii libkf5pimcommon-plugins 4:16.04.2-2 ii libkf5pimcommon54:16.04.2-2 ii libkf5pimtextedit5 16.04.2-1 ii libkf5sendlater54:16.04.2-2 ii libkf5service-bin 5.23.0-1 ii libkf5service5 5.23.0-1 ii libkf5sonnetui5 5.23.0-1 ii libkf5templateparser5 4:16.04.3-1 ii libkf5textwidgets5 5.23.0-1 ii libkf5wallet-bin5.23.0-3 ii libkf5wallet5 5.23.0-3 ii libkf5widgetsaddons55.23.0-1 ii libkf5windowsystem5 5.23.0-1 ii libkf5xmlgui5 5.23.0-1 ii libqt5core5a5.6.1+dfsg-3 ii libqt5dbus5 5.6.1+dfsg-3 ii libqt5gui5 5.6.1+dfsg-3 ii libqt5network5 5.6.1+dfsg-3 ii libqt5widgets5 5.6.1+dfsg-3 ii libqt5xml5 5.6.1+dfsg-3 ii libstdc++6 6.1.1-9 Versions of packages kmail recommends: ii accountwizard 4:16.04.3-1 ii gnupg-agent 2.1.11-7 ii gnupg2 2.1.11-7 ii kdepim-addons 16.04.2-2 ii kdepim-doc 4:16.04.3-1 ii kdepim-themeeditors 4:16.04.3-1 ii ktnef 4:16.04.3-1 ii pinentry-qt [pinentry-x11] 0.9.7-5 Versions of packages kmail suggests: pn clamav ii kaddressbook 4:16.04.3-1 ii
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Package: kmail Version: 4:4.14.10-2 Severity: normal I just saw an HTML message that style html and body interfer with the message headers (in that case, the message heraders got centered along with the rest of the message). On first glance, this is a cosmetic issue. On second thought, it is imaginable that this can be abused to hide or inject information into the headers, thus easing phishing or scamming or even tricking the user into assuming a different sender, replying with confidential information. I am not certain that the latter will actually work; if you agree with my thoughts, please take the relevant steps to make this a security bug. -- System Information: Debian Release: stretch/sid Architecture: amd64 (x86_64) Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages kmail depends on: ii kde-runtime 4:15.08.3-1+b1 ii kdepim-runtime4:4.14.10-2 ii kdepimlibs-kio-plugins4:4.14.10-1 ii libakonadi-calendar4 4:4.14.10-1 ii libakonadi-contact4 4:4.14.10-1 ii libakonadi-kde4 4:4.14.10-1 ii libakonadi-kmime4 4:4.14.10-1 ii libakonadiprotocolinternals1 1.13.0-8 ii libc6 2.21-7 ii libcalendarsupport4 4:4.14.10-2 ii libfollowupreminder4 4:4.14.10-2 ii libgcc1 1:5.3.1-8 ii libgpgme++2v5 4:4.14.10-1 ii libgrantlee-core0 0.4.0-3 ii libincidenceeditorsng44:4.14.10-2 ii libkabc4 4:4.14.10-1 ii libkalarmcal2 4:4.14.10-1 ii libkcalcore4 4:4.14.10-1 ii libkcalutils4 4:4.14.10-1 ii libkcmutils4 4:4.14.14-1+b1 ii libkdecore5 4:4.14.14-1+b1 ii libkdepim44:4.14.10-2 ii libkdeui5 4:4.14.14-1+b1 ii libkio5 4:4.14.14-1+b1 ii libkleo4 4:4.14.10-2 ii libkmanagesieve4 4:4.14.10-2 ii libkmime4 4:4.14.10-1 ii libknotifyconfig4 4:4.14.14-1+b1 ii libkontactinterface4a 4:4.14.10-1 ii libkparts44:4.14.14-1+b1 ii libkpimidentities44:4.14.10-1 ii libkpimtextedit4 4:4.14.10-1 ii libkpimutils4 4:4.14.10-1 ii libkprintutils4 4:4.14.14-1+b1 ii libksieveui4 4:4.14.10-2 ii libmailcommon44:4.14.10-2 ii libmailimporter4 4:4.14.10-2 ii libmailtransport4 4:4.14.10-1 ii libmessagecomposer4 4:4.14.10-2 ii libmessagecore4 4:4.14.10-2 ii libmessagelist4 4:4.14.10-2 ii libmessageviewer4 4:4.14.10-2 ii libpimcommon4 4:4.14.10-2 ii libqt4-dbus 4:4.8.7+dfsg-5 ii libqt4-network4:4.8.7+dfsg-5 ii libqt4-xml4:4.8.7+dfsg-5 ii libqtcore44:4.8.7+dfsg-5 ii libqtgui4 4:4.8.7+dfsg-5 ii libqtwebkit4 2.3.4.dfsg-6 ii libsendlater4 4:4.14.10-2 ii libsolid4 4:4.14.14-1+b1 ii libstdc++65.3.1-8 ii libtemplateparser44:4.14.10-2 ii perl 5.22.1-7 Versions of packages kmail recommends: ii gnupg-agent 2.1.11-5 ii gnupg2 2.1.11-5 ii kdepim-doc 4:4.14.10-2 pn kdepim-themeditors ii ktnef 4:4.14.10-2 ii pinentry-qt [pinentry-x11] 0.9.7-3 Versions of packages kmail suggests: pn clamav ii kaddressbook4:4.14.10-2 ii kleopatra 4:4.14.10-2 ii procmail3.22-25 pn spamassassin | bogofilter | annoyance-filter | spambayes | bsf -- no debconf information