[Bug 1630699] Re: [CVE] KMail - JavaScript access to local and remote URLs

[Simon Quigley]

** Changed in: kf5-messagelib (Ubuntu Zesty)
 Assignee: Simon Quigley (tsimonq2) => (unassigned)

** Changed in: kf5-messagelib (Ubuntu)
 Assignee: Simon Quigley (tsimonq2) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  [CVE] KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kf5-messagelib/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630699] Re: [CVE] KMail - JavaScript access to local and remote URLs

[Simon Quigley]

not-affected for the kf5-messagelib in Zesty because it doesn't use
QtWebEngine. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853241
for reference.

** Changed in: kf5-messagelib (Ubuntu Zesty)
   Status: In Progress => Invalid

** Bug watch added: Debian Bug tracker #853241
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853241

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  [CVE] KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kf5-messagelib/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630699] Re: [CVE] KMail - JavaScript access to local and remote URLs

[Simon Quigley]

** Description changed:

  KDE Project Security Advisory
  =
  
  Title:  KMail: JavaScript access to local and remote URLs
  Risk Rating:Critical
  CVE:CVE-2016-7967
  Platforms:  All
  Versions:   kmail 5.3.0
  Author: Andre Heinecke 
  Date:   6 October 2016
  
  Overview
  
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
  in the local file security context by default access to remote and local
  URLs was enabled.
  
  Impact
  ==
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
  to remote URLs or change the contents of local files in malicious ways. The
  code is executed when when viewing HTML the mails.
  Combined with CVE-2016-7966 the code could also be executed when viewing
  plain text mails.
  
  Workaround
  ==
  
  Assuming a version with CVE-2016-7966 fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  
  
  For KMail apply the following patch:
- 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
+ 
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  ===
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.
  
   This bug also aims to fix: 
  
  KDE Project Security Advisory
  =
  
  Title:  KMail: JavaScript execution in HTML Mails
  Risk Rating:Normal
  CVE:CVE-2016-7968
  Platforms:  All
  Versions:   kmail 5.3.0
  Author: Andre Heinecke 
  Date:   6 October 2016
  
  Overview
  
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. HTML Mail contents were not sanitized for
  JavaScript and included code was executed.
  
  Impact
  ==
  
  An unauthenticated attacker can send out mails with Javascript to manipulate
  the display of messages. The JavaScript executed might be used as an entry
  point for further exploits.
  
  Workaround
  ==
  
  Assuming a version with CVE-2016-7966 fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  
  
  The full solution disables JavaScript in the Mailviewer of KMail. This
  requires API introduced in Qt 5.7.0 so KMail needs to be built with
  Qt 5.7.0 and the following patch:
- 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=f601f9ffb706f7d3a5893b04f067a1f75da62c99
+ 
https://cgit.kde.org/messagelib.git/commit/?id=f601f9ffb706f7d3a5893b04f067a1f75da62c99
  
  For versions previous to 5.7.0 the following patches partly sanitize mails
  but still make it possible to inject code:
- 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=3503b75e9c79c3861e182588a0737baf165abd23
- 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=a8744798dfdf8e41dd6a378e48662c66302b0019
- 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=77976584a4ed2797437a2423704abdd7ece7834a
- 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=fb1be09360c812d24355076da544030a67b736fc
- 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=0402c17a8ead92188971cb604d905b3072d56a73
+ 
https://cgit.kde.org/messagelib.git/commit/?id=3503b75e9c79c3861e182588a0737baf165abd23
+ 
https://cgit.kde.org/messagelib.git/commit/?id=a8744798dfdf8e41dd6a378e48662c66302b0019
+ 
https://cgit.kde.org/messagelib.git/commit/?id=77976584a4ed2797437a2423704abdd7ece7834a
+ 
https://cgit.kde.org/messagelib.git/commit/?id=fb1be09360c812d24355076da544030a67b736fc
+ 
https://cgit.kde.org/messagelib.git/commit/?id=0402c17a8ead92188971cb604d905b3072d56a73
  
  Credits
  ===
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  [CVE] KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kf5-messagelib/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630699] Re: [CVE] KMail - JavaScript access to local and remote URLs

[Simon Quigley]

** Summary changed:

- CVE - KMail - JavaScript access to local and remote URLs
+ [CVE] KMail - JavaScript access to local and remote URLs

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  [CVE] KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kf5-messagelib/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630699] Re: CVE - KMail - JavaScript access to local and remote URLs

[Simon Quigley]

** Description changed:

  KDE Project Security Advisory
  =
  
  Title:  KMail: JavaScript access to local and remote URLs
  Risk Rating:Critical
  CVE:CVE-2016-7967
  Platforms:  All
  Versions:   kmail 5.3.0
  Author: Andre Heinecke 
  Date:   6 October 2016
  
  Overview
  
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
- in the local file security context by default access to remote and local URLs
- was enabled.
+ in the local file security context by default access to remote and local
+ URLs was enabled.
  
  Impact
  ==
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
- to
- remote URLs or change the contents of local files in malicous ways. The
+ to remote URLs or change the contents of local files in malicious ways. The
  code is executed when when viewing HTML the mails.
- Combined with CVE #TODO this could .
+ Combined with CVE-2016-7966 the code could also be executed when viewing
+ plain text mails.
  
  Workaround
  ==
  
- Assuming a version with CVE #TODO fixed a user is protected
+ Assuming a version with CVE-2016-7966 fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  
  
  For KMail apply the following patch:
- 
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
+ 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  ===
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7968

** Description changed:

  KDE Project Security Advisory
  =
  
  Title:  KMail: JavaScript access to local and remote URLs
  Risk Rating:Critical
  CVE:CVE-2016-7967
  Platforms:  All
  Versions:   kmail 5.3.0
  Author: Andre Heinecke 
  Date:   6 October 2016
  
  Overview
  
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
  in the local file security context by default access to remote and local
  URLs was enabled.
  
  Impact
  ==
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
  to remote URLs or change the contents of local files in malicious ways. The
  code is executed when when viewing HTML the mails.
  Combined with CVE-2016-7966 the code could also be executed when viewing
  plain text mails.
  
  Workaround
  ==
  
  Assuming a version with CVE-2016-7966 fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  
  
  For KMail apply the following patch:
  
https://quickgit.kde.org/?p=messagelib.git=commitdiff=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  ===
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.
+ 
+  This bug also aims to fix: 
+ 
+ KDE Project Security Advisory
+ =
+ 
+ Title:  KMail: JavaScript execution in HTML Mails
+ Risk Rating:Normal
+ CVE:CVE-2016-7968
+ Platforms:  All
+ Versions:   kmail 5.3.0
+ Author: Andre Heinecke 
+ Date:   6 October 2016
+ 
+ Overview
+ 
+ 
+ KMail since version 5.3.0 used a QWebEngine based viewer
+ that had JavaScript enabled. HTML Mail contents were not sanitized for
+ JavaScript and included code was executed.
+ 
+ Impact
+ ==
+ 
+ An unauthenticated attacker can send out mails with Javascript to manipulate
+ the display of messages. The JavaScript executed might be used as an entry
+ point for further exploits.
+ 
+ Workaround
+ ==
+ 
+ Assuming a version with CVE-2016-7966 fixed a user is protected
+ from this by only viewing plain text mails.
+ 
+ Solution
+ 
+ 
+ The full solution disables JavaScript in the Mailviewer of KMail. This
+ requires API introduced in Qt 5.7.0 so KMail needs to be built with
+ Qt 5.7.0 and the following patch:
+ 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=f601f9ffb706f7d3a5893b04f067a1f75da62c99
+ 
+ For versions previous to 5.7.0 the following patches partly sanitize mails
+ but still make it possible to inject code:
+ 
https://quickgit.kde.org/?p=messagelib.git=commitdiff=3503b75e9c79c3861e182588a0737baf165abd23
+ 

[Bug 1630699] Re: CVE - KMail - JavaScript access to local and remote URLs

[Simon Quigley]

status inprogress


** Package changed: ubuntu => kf5-messagelib (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  CVE - KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kf5-messagelib/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630699] Re: CVE - KMail - JavaScript access to local and remote URLs

[Seth Arnold]

** Also affects: kf5-messagelib (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Changed in: kf5-messagelib (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: kf5-messagelib (Ubuntu Zesty)
 Assignee: (unassigned) => Simon Quigley (tsimonq2)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  CVE - KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kf5-messagelib/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630699] Re: CVE - KMail - JavaScript access to local and remote URLs

[Simon Quigley]

Fixed with 4:16.12.3-0ubuntu1, not applicable to the one in Zesty.

** Changed in: ubuntu
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  CVE - KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630699] Re: CVE - KMail - JavaScript access to local and remote URLs

[Simon Quigley]

** Description changed:

  KDE Project Security Advisory
  =
  
  Title:  KMail: JavaScript access to local and remote URLs
  Risk Rating:Critical
  CVE:#TODO
  Platforms:  All
  Versions:   kmail 5.3.0
  Author: #TODO
  Date:# TODO
  
  Overview
  
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
  in the local file security context by default access to remote and local URLs
  was enabled.
  
  Impact
  ==
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
  to
  remote URLs or change the contents of local files in malicous ways. The
  code is executed when when viewing HTML the mails.
  Combined with CVE #TODO this could .
  
  Workaround
  ==
  
  Assuming a version with CVE #TODO fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  
  
  For KMail apply the following patch:
- https://quickgit.kde.org/?
+ https://cgit.kde.org/?
  p=messagelib.git=commitdiff=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  ===
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.

** Description changed:

  KDE Project Security Advisory
  =
  
  Title:  KMail: JavaScript access to local and remote URLs
  Risk Rating:Critical
  CVE:#TODO
  Platforms:  All
  Versions:   kmail 5.3.0
  Author: #TODO
  Date:# TODO
  
  Overview
  
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
  in the local file security context by default access to remote and local URLs
  was enabled.
  
  Impact
  ==
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
  to
  remote URLs or change the contents of local files in malicous ways. The
  code is executed when when viewing HTML the mails.
  Combined with CVE #TODO this could .
  
  Workaround
  ==
  
  Assuming a version with CVE #TODO fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  
  
  For KMail apply the following patch:
- https://cgit.kde.org/?
- p=messagelib.git=commitdiff=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
+ 
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  ===
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.

** Description changed:

  KDE Project Security Advisory
  =
  
  Title:  KMail: JavaScript access to local and remote URLs
  Risk Rating:Critical
- CVE:#TODO
+ CVE:CVE-2016-7967
  Platforms:  All
  Versions:   kmail 5.3.0
- Author: #TODO
- Date:# TODO
+ Author: Andre Heinecke 
+ Date:   6 October 2016
  
  Overview
  
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
  in the local file security context by default access to remote and local URLs
  was enabled.
  
  Impact
  ==
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
  to
  remote URLs or change the contents of local files in malicous ways. The
  code is executed when when viewing HTML the mails.
  Combined with CVE #TODO this could .
  
  Workaround
  ==
  
  Assuming a version with CVE #TODO fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  
  
  For KMail apply the following patch:
  
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  ===
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  CVE - KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630699] Re: CVE - KMail - JavaScript access to local and remote URLs

[Clive Johnston]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  CVE - KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs