** Description changed:

  KDE Project Security Advisory
  =============================
  
  Title:          KMail: JavaScript access to local and remote URLs
  Risk Rating:    Critical
  CVE:            #TODO
  Platforms:      All
  Versions:       kmail 5.3.0
  Author:         #TODO
  Date:            # TODO
  
  Overview
  ========
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
  in the local file security context by default access to remote and local URLs
  was enabled.
  
  Impact
  ======
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
  to
  remote URLs or change the contents of local files in malicous ways. The
  code is executed when when viewing HTML the mails.
  Combined with CVE #TODO this could .
  
  Workaround
  ==========
  
  Assuming a version with CVE #TODO fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  ========
  
  For KMail apply the following patch:
- https://quickgit.kde.org/?
+ https://cgit.kde.org/?
  p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  =======
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.

** Description changed:

  KDE Project Security Advisory
  =============================
  
  Title:          KMail: JavaScript access to local and remote URLs
  Risk Rating:    Critical
  CVE:            #TODO
  Platforms:      All
  Versions:       kmail 5.3.0
  Author:         #TODO
  Date:            # TODO
  
  Overview
  ========
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
  in the local file security context by default access to remote and local URLs
  was enabled.
  
  Impact
  ======
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
  to
  remote URLs or change the contents of local files in malicous ways. The
  code is executed when when viewing HTML the mails.
  Combined with CVE #TODO this could .
  
  Workaround
  ==========
  
  Assuming a version with CVE #TODO fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  ========
  
  For KMail apply the following patch:
- https://cgit.kde.org/?
- p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
+ 
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  =======
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.

** Description changed:

  KDE Project Security Advisory
  =============================
  
  Title:          KMail: JavaScript access to local and remote URLs
  Risk Rating:    Critical
- CVE:            #TODO
+ CVE:            CVE-2016-7967
  Platforms:      All
  Versions:       kmail 5.3.0
- Author:         #TODO
- Date:            # TODO
+ Author:         Andre Heinecke <aheine...@intevation.de>
+ Date:           6 October 2016
  
  Overview
  ========
  
  KMail since version 5.3.0 used a QWebEngine based viewer
  that had JavaScript enabled. Since the generated html is executed
  in the local file security context by default access to remote and local URLs
  was enabled.
  
  Impact
  ======
  
  An unauthenticated attacker can send out mails with malicious content
  with executable JavaScript code that read or write local files and send them
  to
  remote URLs or change the contents of local files in malicous ways. The
  code is executed when when viewing HTML the mails.
  Combined with CVE #TODO this could .
  
  Workaround
  ==========
  
  Assuming a version with CVE #TODO fixed a user is protected
  from this by only viewing plain text mails.
  
  Solution
  ========
  
  For KMail apply the following patch:
  
https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
  
  Credits
  =======
  
  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing and the problems and reviewing the fix
  and Laurent Montel for fixing the issues.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630699

Title:
  CVE - KMail - JavaScript access to local and remote URLs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1630699/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to