Bug#913595: CVE-2018-19120: kio-extras: HTML Thumbnailer automatic remote file access

Mon, 12 Nov 2018 11:52:36 -0800 

Package: kio-extras
Version: 4:18.08.1-1
Severity: important
Tags: security

Dear Maintainer,

"KDE Project Security Advisory: kio-extras: HTML Thumbnailer automatic
remote file access" (Message-ID: <5460566.RsyoOK3lV2@xps>, for some reason
the mailing list archives are for subscribers only) mentions that
'htmlthumbnail.so' accesses content from remote files in HTML files to
thumbnail. It has been assigned CVE number CVE-2018-19120.

KDE developers removed the HTML thumbnailer for KDE Applications 18.12.

Work-around is to remove

/usr/lib/x86_64-linux-gnu/qt5/plugins/htmlthumbnail.so

The announcement should be accessible to the public on

https://www.kde.org/announcements/

soon.

Thanks,
Martin

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-tp520 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages kio-extras depends on:
ii  kio                      5.51.0-1
ii  kio-extras-data          4:18.08.1-1
ii  libc6                    2.27-8
ii  libgcc1                  1:8.2.0-9
ii  libkf5activities5        5.51.0-1
ii  libkf5archive5           5.51.0-1
ii  libkf5bookmarks5         5.51.0-1
ii  libkf5codecs5            5.51.0-1
ii  libkf5configcore5        5.51.0-1
ii  libkf5configgui5         5.51.0-1
ii  libkf5configwidgets5     5.51.0-1
ii  libkf5coreaddons5        5.51.0-1
ii  libkf5dbusaddons5        5.51.0-1
ii  libkf5dnssd5             5.51.0-1
ii  libkf5guiaddons5         5.51.0-1
ii  libkf5i18n5              5.51.0-1
ii  libkf5iconthemes5        5.51.0-1
ii  libkf5khtml5             5.51.0-1
ii  libkf5kiocore5           5.51.0-1
ii  libkf5kiofilewidgets5    5.51.0-1
ii  libkf5kiowidgets5        5.51.0-1
ii  libkf5parts5             5.51.0-1
ii  libkf5pty5               5.51.0-1
ii  libkf5service-bin        5.51.0-1
ii  libkf5service5           5.51.0-1
ii  libkf5solid5             5.51.0-1
ii  libkf5xmlgui5            5.51.0-1
ii  libmtp9                  1.1.13-1
ii  libopenexr23             2.2.1-4
ii  libphonon4qt5-4          4:4.10.1-1
ii  libqt5core5a             5.11.2+dfsg-4
ii  libqt5dbus5              5.11.2+dfsg-4
ii  libqt5gui5               5.11.2+dfsg-4
ii  libqt5network5           5.11.2+dfsg-4
ii  libqt5sql5               5.11.2+dfsg-4
ii  libqt5svg5               5.11.2-2
ii  libqt5webenginewidgets5  5.11.2+dfsg-2
ii  libqt5widgets5           5.11.2+dfsg-4
ii  libqt5xml5               5.11.2+dfsg-4
ii  libsmbclient             2:4.9.1+dfsg-2
ii  libssh-4                 0.8.4-3
ii  libstdc++6               8.2.0-9
ii  libtag1v5                1.11.1+dfsg.1-0.2+b1
ii  phonon4qt5               4:4.10.1-1

kio-extras recommends no packages.

kio-extras suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: missing file /usr/lib/x86_64-linux-gnu/qt5/plugins/htmlthumbnail.so 
(from kio-extras package)

Reply via email to