Bug 1382286 (CVE-2016-7966)

Summary: CVE-2016-7966 kdepim: HTML injection in plain text viewer of KMail
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cbuissar, jgrulich, jreznik, me, ovasik, rdieter, smparrish, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-23 18:47:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1382296, 1382297, 1382298, 1382299    
Bug Blocks: 1382295    

Description Adam Mariš 2016-10-06 09:17:25 UTC 
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.

Affected versions: kmail >= 4.4.0

CVE assignment:

http://seclists.org/oss-sec/2016/q4/23

Upstream patch set for kdepimlibs:
* Backport avoid to transform as a url when we have a quote
https://cgit.kde.org/kdepimlibs.git/commit/?id=176fee25ca
* Backport show bad url text
https://cgit.kde.org/kdepimlibs.git/commit/?id=8bbe1bd3

External References:

https://www.kde.org/info/security/advisory-20161006-1.txt
Comment 1 Adam Mariš 2016-10-06 09:32:34 UTC 
Created kdepim3 tracking bugs for this issue:

Affects: fedora-all [bug 1382297]
Affects: epel-7 [bug 1382299]
Comment 2 Adam Mariš 2016-10-06 09:32:43 UTC 
Created kdepim tracking bugs for this issue:

Affects: fedora-all [bug 1382296]
Comment 3 Adam Mariš 2016-10-06 09:32:50 UTC 
Created kdepim4 tracking bugs for this issue:

Affects: fedora-all [bug 1382298]
Comment 4 Than Ngo 2016-10-06 09:45:23 UTC 
do we have any testcases to reproduce the issues?
Comment 5 Than Ngo 2016-10-17 14:54:01 UTC 
(In reply to Adam Mariš from comment #3)
> Created kdepim4 tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1382298]

it's not effected in kdepim4 but in kdepimlibs. Could you please change it?
Thanks
Comment 6 Fedora Update System 2016-10-30 17:54:26 UTC 
kdepim-16.08.2-1.fc24, kdepim-addons-16.08.2-1.fc24, kdepim-apps-libs-16.08.2-1.fc24, kdepim-runtime-16.08.2-1.fc24, kf5-akonadi-calendar-16.08.2-1.fc24, kf5-akonadi-contacts-16.08.2-1.fc24, kf5-akonadi-mime-16.08.2-1.fc24, kf5-akonadi-notes-16.08.2-1.fc24, kf5-akonadi-search-16.08.2-1.fc24, kf5-akonadi-server-16.08.2-1.fc24, kf5-calendarsupport-16.08.2-1.fc24, kf5-eventviews-16.08.2-1.fc24, kf5-gpgmepp-16.08.2-1.fc24, kf5-grantleetheme-16.08.2-1.fc24, kf5-incidenceeditor-16.08.2-1.fc24, kf5-kalarmcal-16.08.2-1.fc24, kf5-kblog-16.08.2-1.fc24, kf5-kcalendarcore-16.08.2-1.fc24, kf5-kcalendarutils-16.08.2-1.fc24, kf5-kcontacts-16.08.2-1.fc24, kf5-kdgantt2-16.08.2-1.fc24, kf5-kholidays-16.08.2-1.fc24, kf5-kidentitymanagement-16.08.2-1.fc24, kf5-kimap-16.08.2-1.fc24, kf5-kldap-16.08.2-1.fc24, kf5-kmailtransport-16.08.2-1.fc24, kf5-kmbox-16.08.2-1.fc24, kf5-kmime-16.08.2-1.fc24, kf5-kontactinterface-16.08.2-1.fc24, kf5-kpimtextedit-16.08.2-1.fc24, kf5-ktnef-16.08.2-1.fc24, kf5-libgravatar-16.08.2-1.fc24, kf5-libkdepim-16.08.2-1.fc24, kf5-libkleo-16.08.2-1.fc24, kf5-libksieve-16.08.2-1.fc24, kf5-mailcommon-16.08.2-1.fc24, kf5-mailimporter-16.08.2-1.fc24, kf5-messagelib-16.08.2-1.fc24, kf5-pimcommon-16.08.2-1.fc24, kf5-syndication-16.08.2-1.fc24, kleopatra-16.08.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Cedric Buissart 2017-03-24 10:38:57 UTC 
Statement:

This issue did not affect the versions of kdepim as shipped with Red Hat Enterprise Linux 5, 6 or 7 as they did not include support for kmail, or are not shipped with vulnerable versions.