[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Changed in: evolution Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: Fix Released Status in “evolution” package in Ubuntu: Fix Released Status in “evolution” source package in Quantal: Fix Released Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Changed in: evolution Status: New = Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: Confirmed Status in “evolution” package in Ubuntu: Fix Released Status in “evolution” source package in Quantal: Fix Released Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Branch linked: lp:~mathieu-tl/ubuntu/raring/evolution/3.6.4 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: Confirmed Status in “evolution” package in Ubuntu: Fix Released Status in “evolution” source package in Quantal: Fix Released Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Branch linked: lp:~ubuntu-desktop/evolution/ubuntu -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: New Status in “evolution” package in Ubuntu: Fix Released Status in “evolution” source package in Quantal: Fix Released Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
This bug was fixed in the package evolution - 3.6.0-0ubuntu3 --- evolution (3.6.0-0ubuntu3) quantal; urgency=low * debian/patches/disable-webkit-plugins.patch: disable all webkit plugins when initializing the EWebView (the object that handles displaying messages in a message window and in preview), to avoid security issues because of these plugins. (LP: #1037669) * debian/control: flip the alternative Recommends for spamassassin and bogofilter to prefer spamassassin, since bogofilter got demoted. -- Mathieu Trudel-Lapierre mathieu...@ubuntu.com Fri, 28 Sep 2012 13:23:53 -0400 ** Changed in: evolution (Ubuntu Quantal) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: New Status in “evolution” package in Ubuntu: Fix Released Status in “evolution” source package in Quantal: Fix Released Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
Andre linked the following rationale for the current state of Evolution's webkit integration: https://mail.gnome.org/archives/evolution-list/2012-September/msg00055.html -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: New Status in “evolution” package in Ubuntu: Triaged Status in “evolution” source package in Quantal: Triaged Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Changed in: evolution (Ubuntu Quantal) Status: Triaged = In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: New Status in “evolution” package in Ubuntu: In Progress Status in “evolution” source package in Quantal: In Progress Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
In case anyone needs it, the profile I use is based on this one: http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/12.10/usr.bin.evolution Please note that we are not considering shipping this profile in Ubuntu at this time-- it is something under development and needs a lot more work. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: New Status in “evolution” package in Ubuntu: Triaged Status in “evolution” source package in Quantal: Triaged Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Changed in: evolution (Ubuntu Quantal) Status: Confirmed = In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in “evolution” package in Ubuntu: In Progress Status in “evolution” source package in Quantal: In Progress Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
I looked quickly and couldn't figure out a way to fix this decently; looks to me like the actual parsing in webkit is happening in a very different part of the code than the bits that handle whether to show as plain text or not, so fixing this (keeping in mind that plain-text stuff is a module), appears non-trivial. I opened a bug upstream since we'll need help from the Evolution developers for this one; see https://bugzilla.gnome.org/show_bug.cgi?id=684245 ** Bug watch added: GNOME Bug Tracker #684245 https://bugzilla.gnome.org/show_bug.cgi?id=684245 ** Also affects: evolution via https://bugzilla.gnome.org/show_bug.cgi?id=684245 Importance: Unknown Status: Unknown ** Changed in: evolution (Ubuntu Quantal) Status: In Progress = Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: Unknown Status in “evolution” package in Ubuntu: Triaged Status in “evolution” source package in Quantal: Triaged Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Changed in: evolution Status: Unknown = New ** Changed in: evolution Importance: Unknown = Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in The Evolution Mail Calendaring Tool: New Status in “evolution” package in Ubuntu: Triaged Status in “evolution” source package in Quantal: Triaged Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
@Mathieu: can you please have a look at this when you have a minute? Can we disable it for release? ** Also affects: evolution (Ubuntu Quantal) Importance: High Status: Confirmed ** Changed in: evolution (Ubuntu Quantal) Assignee: (unassigned) = Mathieu Trudel-Lapierre (mathieu-tl) ** Changed in: evolution (Ubuntu Quantal) Milestone: None = ubuntu-12.10-beta-2 ** Tags removed: rls-q-incoming -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in “evolution” package in Ubuntu: Confirmed Status in “evolution” source package in Quantal: Confirmed Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Also affects: evolution (Debian) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in “evolution” package in Ubuntu: Confirmed Status in “evolution” package in Debian: New Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1037669] Re: gst-plugin-scanner and browser plugins are used when opening certain emails
** Changed in: evolution (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1037669 Title: gst-plugin-scanner and browser plugins are used when opening certain emails Status in “evolution” package in Ubuntu: Confirmed Bug description: Evolution now uses webkit for html mail in 12.10. On launch, it tries to access the google-talkplugin. When looking at a certain messages in preview mode (a google calendar invite), it tries to launch /usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin- scanner. Interestingly, this is happening even though I have 'Only ever show plain text' configured in Preferences/Mail Preferences/HTML Messages (I do have 'Show suppressed HTML parts as attachments' selected). This suggests that evolution: - would gladly use plugins - that javascript is possibly enabled (for the plugin finder) - that the WebKit HTML renderer is being invoked even though 'Only ever show plain text' is selected Webkit is an immensely powerful renderer and it is being used to render completely untrusted input from anyone who can send an email. We need to make sure that plugins and javascript are disabled and that the renderer is not being used at all when 'Only ever show plain text' is enabled (it could be used to deliver text/plain, but it seems that it is processing the HTML then discarding it). This would bring it in line with Thunderbird's policies. I noticed this because I use AppArmor to confine evolution. Unfortunately in my situation, evolution hung on the message that invoked the plugin finder because the plugin finder failed to launch. I have rules now that will prevent the hang, but evolution isn't handling this error condition gracefully either. This should be considered an important security regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1037669/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
