[Bug 1630700] Re: [CVE] KMail - HTML injection in plain text viewer
** Changed in: kcoreaddons (Ubuntu Precise) Assignee: Simon Quigley (tsimonq2) => (unassigned) ** Changed in: kcoreaddons (Ubuntu Xenial) Assignee: Simon Quigley (tsimonq2) => (unassigned) ** Changed in: kdepimlibs (Ubuntu Trusty) Assignee: Simon Quigley (tsimonq2) => (unassigned) -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: [CVE] KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: [CVE] KMail - HTML injection in plain text viewer
This bug was fixed in the package kdepimlibs - 4:4.13.3-0ubuntu0.4 --- kdepimlibs (4:4.13.3-0ubuntu0.4) trusty-security; urgency=high * SECURITY UPDATE: KMail: HTML injection in plain text viewer (LP: #1630700) - CVE-2016-7966 - The security vulnerability was not completely fixed in the last update. This upload applies one additional commit from upstream to completely fix it. - Split CVE-2016-7966.diff into CVE-2016-7966_1.patch and CVE-2016-7966_2.patch and add DEP-3 meta-information to make it clear that to fix the CVE, two patches are needed. -- Simon Quigley Thu, 10 Aug 2017 17:52:29 -0500 -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: [CVE] KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: [CVE] KMail - HTML injection in plain text viewer
This bug was fixed in the package kcoreaddons - 5.18.0-0ubuntu1.1 --- kcoreaddons (5.18.0-0ubuntu1.1) xenial-security; urgency=high * SECURITY UPDATE: KMail - HTML injection in plain text viewer (LP: #1630700) - CVE-2016-7966 - CVE-2016-7966_1.patch - 1be727 from upstream - CVE-2016-7966_2.patch - 96e562 from upstream - CVE-2016-7966_3.patch - a06cef from upstream - CVE-2016-7966_4.patch - 5e13d2 from upstream -- Simon Quigley Fri, 11 Aug 2017 23:36:27 -0500 ** Changed in: kcoreaddons (Ubuntu Xenial) Status: In Progress => Fix Released ** Changed in: kdepimlibs (Ubuntu Trusty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: [CVE] KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: [CVE] KMail - HTML injection in plain text viewer
Here is a follow-up patch for kdepimlibs in Trusty applicable to 4.13.3-0ubuntu0.3 that addresses some general feedback I have received on other bug reports. This shouldn't need any new testing because this is technically the same as the last debdiff. ** Patch added: "2-4.13.3-0ubuntu0.4.debdiff" https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1630700/+attachment/4931060/+files/2-4.13.3-0ubuntu0.4.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: [CVE] KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: [CVE] KMail - HTML injection in plain text viewer
Here's a debdiff for kcoreaddons in Xenial applicable to 5.18.0-0ubuntu1. I tested it and it works fine. ** Patch added: "1-5.18.0-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1630700/+attachment/4931056/+files/1-5.18.0-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: [CVE] KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: [CVE] KMail - HTML injection in plain text viewer
Attached is a debdiff for kdepimlibs in Trusty applicable to 4.13.3-0ubuntu0.3. I tested this on a fresh Kubuntu 14.04 LTS install and it works fine. ** Patch added: "1-4.13.3-0ubuntu0.4.debdiff" https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1630700/+attachment/4930441/+files/1-4.13.3-0ubuntu0.4.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: [CVE] KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: [CVE] KMail - HTML injection in plain text viewer
** Summary changed: - CVE - KMail - HTML injection in plain text viewer + [CVE] KMail - HTML injection in plain text viewer -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: [CVE] KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
As shown in the bug description edit, this bug is not 100% fixed yet. I'm working on fixes. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
** Also affects: kdepimlibs (Ubuntu) Importance: Undecided Status: New ** No longer affects: kdepimlibs (Ubuntu Precise) ** Changed in: kdepimlibs (Ubuntu Trusty) Status: New => In Progress ** Changed in: kdepimlibs (Ubuntu Trusty) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: kdepimlibs (Ubuntu) Status: New => Fix Released ** No longer affects: kdepimlibs (Ubuntu Xenial) ** No longer affects: kdepimlibs (Ubuntu Yakkety) -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdepimlibs in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
** Changed in: kcoreaddons (Ubuntu Xenial) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: kcoreaddons (Ubuntu Xenial) Status: Confirmed => In Progress ** Description changed: KDE Project Security Advisory = - Title: KMail: HTML injection - Risk Rating: Important - CVE: #TODO + Title: KMail: HTML injection in plain text viewer + Risk Rating:Important + CVE:CVE-2016-7966 Platforms: All Versions: kmail >= 4.4.0 - Author: #TODO - Date:#TODO + Author: Andre Heinecke + Date: 6 October 2016 Overview Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Impact == An unauthenticated attacker can send out mails with malicious content that breaks KMail's plain text HTML escape logic. Due to the limitations of the provided HTML in itself it might not be serious. But as a way to break out of KMail's restricted Plain text mode this might open the way to the exploitation of other vulnerabilities in the HTML viewer code, which is disabled by default. Workaround == None. Solution For KDE Frameworks based releases of KMail apply the following patch to kcoreaddons: + https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12 - https://quickgit.kde.org/? - p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12 - - For KDE 4 apply the following patch: - https://quickgit.kde.org/? - p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf + For kdelibs4 based releases apply the following patch: + https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf Credits === Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing the problems and Laurent Montel for fixing this issue. + + + Updated Information (1 November 2016) + = + + The above mentioned patches are not enough to fix the vulnerability completely. + This wasn't visible, because the patches for CVE-2016-7967 and CVE-2016-7968 made sure, + that this vulnerability can't harm anymore. + It only became visible, that this vulnerability isn't closed completely for systems, + that are only affected by this CVE. + + For KCoreAddons you need: + https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12 + for applying this patch you may also need to cherry-pick: + https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=1be7272373d60e4234f1a5584e676b579302b053 + (these two are released in KCoreAddons KDE Frameworks 5.27.0) + + additionally git commits, to close completely: + https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a + not needed in the strong sense, but this will give you the additional automatic tests, to test if this CVE is closed: + https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=a06cef31cc4c908bc9b76bd9d103fe9c60e0953f + (will be part of KCoreAddons KDE Frameworks 5.28.0) + + For kdepimlibs 4.14: + https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf + https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=8bbe1bd3fdc55f609340edc667ff154b3d2aaab1 + kdepimlibs is at end of life, so no further release is planned. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
Unsubscribing ubuntu-security-sponsors for now since there is nothing to sponsor. Once a debdiff is attached, please re-subscribe the group. Thanks! ** Changed in: kcoreaddons (Ubuntu Trusty) Status: New => Fix Released ** Changed in: kcoreaddons (Ubuntu Precise) Status: In Progress => Invalid ** Changed in: kcoreaddons (Ubuntu Trusty) Status: Fix Released => Invalid ** Changed in: kcoreaddons (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
** Changed in: kcoreaddons (Ubuntu Xenial) Importance: Undecided => High ** Changed in: kcoreaddons (Ubuntu Trusty) Importance: Undecided => High ** Changed in: kcoreaddons (Ubuntu Precise) Importance: Undecided => High -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
This bug was fixed in the package kcoreaddons - 5.26.0-0ubuntu2 --- kcoreaddons (5.26.0-0ubuntu2) yakkety; urgency=medium * SECURITY UPDATE: KMail - HTML injection in plain text viewer (LP: #1630700) - debian/patches/0001-Fix-very-old-bug-when-we-remove-space-in- url-as-foo-.patch: Code added by upstream to fix another bug, but needs to be applied in advance of patch 0002 - debian/patches/0002-Don-t-convert-as-url-an-url-which-has-a.patch: Fixes CVE-2016-7966 Patches cherrypicked from Debian: https://anonscm.debian.org/git/pkg-kde/frameworks/kcoreaddons.git Commit: ab7258dd8a87668ba63c585a69f41f291254aa43 Many thanks to Sandro Knauß for these patches -- Clive Johnston Fri, 07 Oct 2016 23:57:19 +0100 ** Changed in: kcoreaddons (Ubuntu Yakkety) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
** Changed in: kcoreaddons (Ubuntu Precise) Status: New => In Progress ** Changed in: kcoreaddons (Ubuntu Precise) Assignee: (unassigned) => Simon Quigley (tsimonq2) -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
The attachment "precise.debdiff" seems to be a debdiff. The ubuntu- sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
** Also affects: kcoreaddons (Ubuntu Yakkety) Importance: High Assignee: Simon Quigley (tsimonq2) Status: In Progress ** Also affects: kcoreaddons (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: kcoreaddons (Ubuntu Yakkety) Assignee: Simon Quigley (tsimonq2) => Clive Johnston (clivejo) -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
** Also affects: kcoreaddons (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: kcoreaddons (Ubuntu Trusty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
[18:18:58] infinity: Kubuntu would like to get a security fix in before release: https://anonscm.debian.org/git/pkg-kde/frameworks/kcoreaddons.git/commit/?id=ab7258dd8a87668ba63c585a69f41f291254aa43 [18:19:26] ScottK: Security fixes welcome. [18:19:39] K. Thanks. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
Debian patch - https://anonscm.debian.org/git/pkg- kde/frameworks/kcoreaddons.git/commit/?id=ab7258dd8a87668ba63c585a69f41f291254aa43 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kcoreaddons in Ubuntu. https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs